High Severity

Attachment: ICS calendar file with base64 encoded recipient address in URL parameters

Labels

Credential Phishing

Evasion

Description

Detects inbound messages containing ICS calendar attachments where event links have multiple URL parameters, and the base64 decoded combination of those parameters matches the recipient's email address. This technique may be used to personalize malicious links or track specific targets.

References

No references.

Sublime Security

Created May 12th, 2026 • Last updated May 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_type == "ics"
          or .file_extension == "ics"
          or .content_type in ("application/ics", "text/calendar")
        )
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        and any(beta.file.parse_ics(.).events,
                any(filter(.links, length(.href_url.query_params_decoded) > 1),
                    any(strings.scan_base64(strings.concat(coalesce(flatten(values(.display_url.query_params_decoded
                                                                            )
                                                                    )[0],
                                                                    ""
                                                           ),
                                                           coalesce(flatten(values(.display_url.query_params_decoded
                                                                            )
                                                                    )[1],
                                                                    ""
                                                           ),
                                                           coalesce(flatten(values(.display_url.query_params_decoded
                                                                            )
                                                                    )[2],
                                                                    ""
                                                           ),
                                                           coalesce(flatten(values(.display_url.query_params_decoded
                                                                            )
                                                                    )[3],
                                                                    ""
                                                           ),
                                                           coalesce(flatten(values(.display_url.query_params_decoded
                                                                            )
                                                                    )[4],
                                                                    ""
                                                           ),
                                                           coalesce(flatten(values(.display_url.query_params_decoded
                                                                            )
                                                                    )[5],
                                                                    ""
                                                           )
                                            )
                        ),
                        . == recipients.to[0].email.email
                    )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.