type.inbound
and sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
// has an ICS file
and any(attachments,
.file_extension == "ics" or .content_type == "text/calendar"
)
// and a single other attachment that isn't an ICS but is embedded in the ICS
and length(filter(attachments,
not (
.file_extension == "ics"
or .content_type == "text/calendar"
or .file_type in $file_types_images
)
and any(filter(attachments,
.file_extension == "ics"
or .content_type == "text/calendar"
),
strings.contains(file.parse_text(.).text,
..content_id
)
)
)
) == 1
// exlode the ics file and look at the VEVENT file
and any(filter(attachments,
.file_extension == "ics" or .content_type == "text/calendar"
),
any(file.explode(.),
// attendees and org are both within org_domains
any(.scan.ics.calendars,
any(.components,
.type == "VEVENT"
and length(.attendees) == 1
and all(.attendees,
.mailbox.email.domain.domain in $org_domains
)
and any(.organizers,
.mailbox.email.domain.domain in $org_domains
)
and length(.attachments) > 0
and all(.attachments,
.type == "uri" and strings.starts_with(.uri, "CID:")
)
)
)
)
)
Playground
Test against your own EMLs or sample data.