[PR sublime-security#3756] added rule: PR# 3756 - Attachment: ICS file with meeting prefix

Author: github-actions[bot]

detection-rules/3756_attachment_ics_meeting_invite.yml

@@ -0,0 +1,26 @@
+name: "PR# 3756 - Attachment: ICS file with meeting prefix"
+description: "Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) == 1
+  and any(attachments,
+          .file_extension == "ics"
+          and regex.match(.file_name, '(meeting_)[-azA-z0-9]{5}\.ics')
+  )
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Header analysis"
+id: "5800490c-1a6f-5435-b593-a505507cca09"
+tags:
+  - created_from_open_prs
+  - rule_status_added
+  - pr_author_MSAdministrator
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/3756