Medium Severity

Attachment: ICS calendar file with suspicious UID domain

Description

Detects inbound messages containing ICS calendar attachments where the event UID property ends with a specific domain (@example.com). Malicious actors may use calendar invites to socially engineer recipients into accepting fraudulent meetings or following malicious instructions embedded in calendar events.

References

No references.

Sublime Security
Created Jul 2nd, 2026 • Last updated Jul 2nd, 2026
Source
type.inbound
and any(attachments,
        (
          .file_type == "ics"
          or .file_extension == "ics"
          or .content_type in ("application/ics", "text/calendar")
        )
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        and any(beta.file.parse_ics(.).events,
                any(.raw_properties,
                    .key == "UID" and strings.iends_with(.value, "@example.com")
                )
        )
)    
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started