Sublime Security

Sublime Core Feed
ICS Phishing
Learn More
Login to Sublime
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
ICS Phishing
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Tactic or Technique: ICS Phishing
ICS phishing is a deceptive attack technique that uses calendar invite files (.ics) to deliver phishing content in a way that feels routine and trustworthy. These invites often appear as legitimate meeting requests from platforms like Microsoft 365 or Google Workspace, making them easy to accept without suspicion.
What makes this technique especially effective is how calendar systems handle invitations. In many environments, events can be automatically added to a user's calendar, giving attackers a second delivery channel beyond the inbox.
Once on the calendar, these events can contain phishing links, malicious attachments, or urgent instructions. Because calendar entries are persistent and trusted, the attack can continue even after the email is removed, increasing the likelihood of credential theft, malware downloads, or other compromise.
Blog Posts
ICS phishing: Stopping a surge of malicious calendar invites · Blog · Sublime Security
Automatic malicious calendar event remediation · Blog · Sublime Security
Attack Types (5):
Callback Phishing
Malware/Ransomware
Credential Phishing
BEC/Fraud
Spam
Detection Methods (10):
File analysis
Header analysis
Natural Language Understanding
Sender analysis
Content analysis
URL analysis
Whois
Javascript analysis
Archive analysis
HTML analysis
Rule Name & Severity
Last Updated
Types, Tactics & Capabilities
Callback phishing via calendar invite
2d ago
May 6th, 2026
Sublime Security
Callback Phishing
Social engineering
Evasion
ICS Phishing
File analysis
Header analysis
Natural Language Understanding
Sender analysis
Callback Phishing
Social engineering
Evasion
ICS Phishing
File analysis
Header analysis
Natural Language Understanding
Sender analysis
Attachment: ICS file with excessive custom properties
10d ago
Apr 28th, 2026
Sublime Security
Malware/Ransomware
Evasion
ICS Phishing
File analysis
Content analysis
Malware/Ransomware
Evasion
ICS Phishing
File analysis
Content analysis
Service abuse: Google Calendar notification with callback scam language
10d ago
Apr 28th, 2026
Sublime Security
Callback Phishing
ICS Phishing
Out of band pivot
Social engineering
Natural Language Understanding
Content analysis
Sender analysis
Callback Phishing
ICS Phishing
Out of band pivot
Social engineering
Natural Language Understanding
Content analysis
Sender analysis
Attachment: ICS file with AWS Lambda URL
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
Free file host
ICS Phishing
Content analysis
File analysis
URL analysis
Credential Phishing
Malware/Ransomware
Evasion
Free file host
ICS Phishing
Content analysis
File analysis
URL analysis
Attachment: ICS with embedded document
10d ago
Apr 28th, 2026
Sublime Security
Malware/Ransomware
Evasion
ICS Phishing
File analysis
Malware/Ransomware
Evasion
ICS Phishing
File analysis
Attachment: Calendar invite with Google redirect and invoice request
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
ICS Phishing
Open redirect
Social engineering
File analysis
Natural Language Understanding
URL analysis
Credential Phishing
BEC/Fraud
ICS Phishing
Open redirect
Social engineering
File analysis
Natural Language Understanding
URL analysis
Attachment: ICS file with non-Gregorian calendar scale
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
Evasion
ICS Phishing
File analysis
Content analysis
Credential Phishing
Evasion
ICS Phishing
File analysis
Content analysis
Attachment: Calendar invite from recently registered domain
10d ago
Apr 28th, 2026
Sublime Security
Callback Phishing
Evasion
ICS Phishing
Social engineering
File analysis
Whois
Callback Phishing
Evasion
ICS Phishing
Social engineering
File analysis
Whois
Attachment: ICS calendar with embedded file from internal sender with SPF failure
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
Spoofing
Evasion
ICS Phishing
File analysis
Header analysis
Sender analysis
Credential Phishing
Spoofing
Evasion
ICS Phishing
File analysis
Header analysis
Sender analysis
Attachment: ICS with embedded Javascript in SVG file
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Scripting
Evasion
ICS Phishing
File analysis
Javascript analysis
Sender analysis
Credential Phishing
Malware/Ransomware
Scripting
Evasion
ICS Phishing
File analysis
Javascript analysis
Sender analysis
Attachment: Calendar invite with suspicious link leading to an open redirect
10d ago
Apr 28th, 2026
Sublime Security
Spam
Free email provider
Free file host
Free subdomain host
ICS Phishing
Open redirect
Content analysis
URL analysis
Spam
Free email provider
Free file host
Free subdomain host
ICS Phishing
Open redirect
Content analysis
URL analysis
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
10d ago
Apr 28th, 2026
Sublime Security
Spam
Free email provider
Free file host
ICS Phishing
Open redirect
Social engineering
Content analysis
Sender analysis
URL analysis
Spam
Free email provider
Free file host
ICS Phishing
Open redirect
Social engineering
Content analysis
Sender analysis
URL analysis
Non-RFC compliant calendar files from unsolicited sender
10d ago
Apr 28th, 2026
Sublime Security
Evasion
ICS Phishing
Social engineering
Archive analysis
Content analysis
File analysis
Sender analysis
Evasion
ICS Phishing
Social engineering
Archive analysis
Content analysis
File analysis
Sender analysis
Attachment: HTML smuggling with atob and high entropy via calendar invite
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
ICS Phishing
Scripting
File analysis
HTML analysis
Javascript analysis
Sender analysis
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
ICS Phishing
Scripting
File analysis
HTML analysis
Javascript analysis
Sender analysis
Attachment: HTML smuggling with eval and atob via calendar invite
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
ICS Phishing
Scripting
File analysis
HTML analysis
Javascript analysis
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
ICS Phishing
Scripting
File analysis
HTML analysis
Javascript analysis
Attachment: ICS file with meeting prefix
10d ago
Apr 28th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
ICS Phishing
Social engineering
File analysis
Header analysis
BEC/Fraud
Credential Phishing
ICS Phishing
Social engineering
File analysis
Header analysis
Attachment: ICS with employee policy review lure
10d ago
Apr 28th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Evasion
ICS Phishing
Social engineering
File analysis
Content analysis
Credential Phishing
BEC/Fraud
Evasion
ICS Phishing
Social engineering
File analysis
Content analysis
Attachment: Calendar file with invisible Unicode characters
10d ago
Apr 28th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Evasion
ICS Phishing
File analysis
Content analysis
BEC/Fraud
Credential Phishing
Malware/Ransomware
Evasion
ICS Phishing
File analysis
Content analysis

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Callback phishing via calendar invite	2d ago May 6th, 2026	Sublime Security	Callback Phishing Social engineering Evasion ICS Phishing File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: ICS file with excessive custom properties	10d ago Apr 28th, 2026	Sublime Security	Malware/Ransomware Evasion ICS Phishing File analysis Content analysis
Service abuse: Google Calendar notification with callback scam language	10d ago Apr 28th, 2026	Sublime Security	Callback Phishing ICS Phishing Out of band pivot Social engineering Natural Language Understanding Content analysis Sender analysis
Attachment: ICS file with AWS Lambda URL	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Evasion Free file host ICS Phishing Content analysis File analysis URL analysis
Attachment: ICS with embedded document	10d ago Apr 28th, 2026	Sublime Security	Malware/Ransomware Evasion ICS Phishing File analysis
Attachment: Calendar invite with Google redirect and invoice request	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing BEC/Fraud ICS Phishing Open redirect Social engineering File analysis Natural Language Understanding URL analysis
Attachment: ICS file with non-Gregorian calendar scale	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing Evasion ICS Phishing File analysis Content analysis
Attachment: Calendar invite from recently registered domain	10d ago Apr 28th, 2026	Sublime Security	Callback Phishing Evasion ICS Phishing Social engineering File analysis Whois
Attachment: ICS calendar with embedded file from internal sender with SPF failure	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing Spoofing Evasion ICS Phishing File analysis Header analysis Sender analysis
Attachment: ICS with embedded Javascript in SVG file	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Scripting Evasion ICS Phishing File analysis Javascript analysis Sender analysis
Attachment: Calendar invite with suspicious link leading to an open redirect	10d ago Apr 28th, 2026	Sublime Security	Spam Free email provider Free file host Free subdomain host ICS Phishing Open redirect Content analysis URL analysis
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender	10d ago Apr 28th, 2026	Sublime Security	Spam Free email provider Free file host ICS Phishing Open redirect Social engineering Content analysis Sender analysis URL analysis
Non-RFC compliant calendar files from unsolicited sender	10d ago Apr 28th, 2026	Sublime Security	Evasion ICS Phishing Social engineering Archive analysis Content analysis File analysis Sender analysis
Attachment: HTML smuggling with atob and high entropy via calendar invite	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling ICS Phishing Scripting File analysis HTML analysis Javascript analysis Sender analysis
Attachment: HTML smuggling with eval and atob via calendar invite	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling ICS Phishing Scripting File analysis HTML analysis Javascript analysis
Attachment: ICS file with meeting prefix	10d ago Apr 28th, 2026	Sublime Security	BEC/Fraud Credential Phishing ICS Phishing Social engineering File analysis Header analysis
Attachment: ICS with employee policy review lure	10d ago Apr 28th, 2026	Sublime Security	Credential Phishing BEC/Fraud Evasion ICS Phishing Social engineering File analysis Content analysis
Attachment: Calendar file with invisible Unicode characters	10d ago Apr 28th, 2026	Sublime Security	BEC/Fraud Credential Phishing Malware/Ransomware Evasion ICS Phishing File analysis Content analysis