Medium Severity

Attachment: ICS file with excessive custom properties

Labels

Malware/Ransomware
Evasion
ICS Phishing
File analysis
Content analysis

Description

ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities.

References

No references.

Sublime Security
Created Mar 17th, 2026 • Last updated Jun 2nd, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(filter(attachments,
               .file_type in~ ('ics')
               or .content_type in ("text/calendar", "application/ics")
        ),
        regex.icount(file.parse_text(.).text,
                     '[\r\n]X-[^\r\n]+\x3b\s?[^\r\n]+:\s*[a-f0-9]{32,}'
        ) > 10
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        or any(beta.file.parse_ics(.).events,
               length(filter(.raw_properties,
                             strings.istarts_with(.key, 'X-')
                             and regex.icontains(.value, '^[a-f0-9]{32,}$')
                      )
               ) > 10
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started