High Severity

Attachment: ICS calendar file with QR code containing recipient email address

Labels

Credential Phishing

QR code

Description

Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations.

References

No references.

Sublime Security

Created Apr 20th, 2026 • Last updated Apr 20th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_type == "ics"
          or (
            .file_extension == "ics"
            or .content_type in ("application/ics", "text/calendar")
          )
        )
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        and any(beta.file.parse_ics(.).events,
                //
                // This rule makes use of a beta feature and is subject to change without notice
                // using the beta feature in custom rules is not suggested until it has been formally released
                //
                any(beta.scan_qr(file.html_screenshot(.description_html)).items,
                    strings.icontains(.url.url, recipients.to[0].email.email)
                    or any(strings.scan_base64(.url.url, format="url"),
                           strings.icontains(., recipients.to[0].email.email)
                    )
                    or any(strings.scan_base64(.url.fragment),
                           strings.icontains(., recipients.to[0].email.email)
                    )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.