High Severity

Attachment: ICS with embedded Javascript in SVG file

Labels

Credential Phishing

Malware/Ransomware

Description

Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

References

No references.

Sublime Security

Created Jan 29th, 2026 • Last updated Jan 29th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ ('ics')
          or .content_type in ("application/ics", "text/calendar")
        )
        and any(file.explode(.),
                (
                  .file_extension in~ ("svg", "svgz")
                  or .flavors.mime == "image/svg+xml"
                )
                and any(.scan.strings.strings,
                        strings.ilike(.,
                                      "*onload*",
                                      "*window.location.href*",
                                      "*onerror*",
                                      "*CDATA*",
                                      "*<script*",
                                      "*</script*",
                                      "*atob*",
                                      "*location.assign*",
                                      "*decodeURIComponent*"
                        )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.