High Severity

Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender

Labels

Spam

Free email provider

Description

Attackers invite users to view a Google Calendar whose name contains a suspicious link, generally linking to spam content such as crypto giveaways, using open redirects to mask the true destination.

References

No references.

Sublime Security

Created Oct 10th, 2024 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and strings.iends_with(subject.subject, "has shared a calendar with you")
and strings.ilike(headers.message_id, "<calendar*@google.com>")
and sender.email.domain.domain in $free_email_providers
and any(body.links,
        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
        or (
          any(ml.link_analysis(.).final_dom.links,
              any(.href_url.rewrite.encoders,
                  strings.icontains(., "open_redirect")
              )
          )
        )
)
and profile.by_sender().prevalence in ("new", "outlier")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.