[PR #3756] modified rule: Attachment: ICS file with meeting prefix

github-actions[bot] · github-actions[bot] · commit 7032e4f67567 · 2026-01-23T22:36:00.000Z
diff --git a/detection-rules/3756_attachment_ics_meeting_invite.yml b/detection-rules/3756_attachment_ics_meeting_invite.yml
@@ -5,7 +5,10 @@ severity: "high"
 source: |
   type.inbound
   and length(attachments) == 1
-  and any(filter(attachments, .content_type == "text/calendar"),
+  and any(filter(attachments,
+                 .file_extension in~ ('ics')
+                 or .content_type in ("application/ics", "text/calendar")
+          ),
           (
             regex.contains(.file_name, "meeting_[a-zA-Z]{5}")
             or regex.contains(.file_name, "meeting_[a-zA-Z0-9]{5}")
@@ -26,4 +29,4 @@ detection_methods:
 id: "5800490c-1a6f-5435-b593-a505507cca09"
 og_id: "383a5810-0b85-55a8-ac9b-e7135823317b"
 testing_pr: 3756
-testing_sha: 9e83c9d09aad5d5d4f120be567af049d78d43b48
+testing_sha: a1be97c3fcabbeef10ba61b4303d04670fc91b41
