You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "Attachment: ICS calendar with embedded file from internal sender with SPF failure"
2
+
description: "Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains."
3
+
type: "rule"
4
+
severity: "high"
5
+
source: |
6
+
type.inbound
7
+
and sender.email.domain.domain in $org_domains
8
+
and not coalesce(headers.auth_summary.spf.pass, false)
9
+
// has an ICS file
10
+
and any(attachments,
11
+
.file_extension == "ics" or .content_type == "text/calendar"
12
+
)
13
+
// and a single other attachment that isn't an ICS but is embedded in the ICS
14
+
and length(filter(attachments,
15
+
not (
16
+
.file_extension == "ics" or .content_type == "text/calendar"
17
+
)
18
+
and any(filter(attachments,
19
+
.file_extension == "ics"
20
+
or .content_type == "text/calendar"
21
+
),
22
+
strings.contains(file.parse_text(.).text,
23
+
..content_id
24
+
)
25
+
)
26
+
)
27
+
) == 1
28
+
// exlode the ics file and look at the VEVENT file
29
+
and any(filter(attachments,
30
+
.file_extension == "ics" or .content_type == "text/calendar"
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments