New rule: Attachment: ICS with embedded Javascript in SVG file

D-Bolton · D-Bolton · commit 3e60f9f2b8bc · 2026-01-27T18:18:09.000-06:00
diff --git a/detection-rules/attachment_ics_svg_js.yml b/detection-rules/attachment_ics_svg_js.yml
@@ -0,0 +1,38 @@
+name: "Attachment: ICS with embedded Javascript in SVG file"
+description: "Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (.content_type == "text/calendar" or .file_extension =~ "ics")
+          and any(file.explode(.),
+                  (
+                    .file_extension in~ ("svg", "svgz")
+                    or .flavors.mime == "image/svg+xml"
+                  )
+                  and any(.scan.strings.strings,
+                          strings.ilike(.,
+                                        "*onload*",
+                                        "*window.location.href*",
+                                        "*onerror*",
+                                        "*CDATA*",
+                                        "*<script*",
+                                        "*</script*",
+                                        "*atob*",
+                                        "*location.assign*",
+                                        "*decodeURIComponent*"
+                          )
+                  )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Scripting"
+  - "Evasion"
+detection_methods:
+  - "File analysis"
+  - "Javascript analysis"
+  - "Sender analysis"
