search
Infiltr8ForumGitHub
githubEdit

Phishing with Calendars (.ICS Files)

hashtag
Theory

We can leverage calendar invites as an initial access vector, using the iCalendararrow-up-right (ICS) file format to create a phishing scenario.

The ICS File format is used on several Calendars like Google Calendar, Outlook, and Apple Calendar.

hashtag
Practice

hashtag
.ICS Format File Overview

The easiest way to get a .ics file is by creating a Google Calendar invite from one Gmail account to another and then downloading the invite.ics email attachment.

An example of an Exchange .ICS file can be found below:

chevron-right.ICS Examplehashtag
BEGIN:VCALENDAR
PRODID:Microsoft Exchange Server 2022
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:REQUEST
BEGIN:VTIMEZONE
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
TZNAME:GMT+2
BEGIN:STANDARD
DTSTART:19701025T030000
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID=Europe/Paris:20241224T080000
DTEND;TZID=Europe/Paris:20241224T090000
DTSTAMP:20241012T034159Z
ORGANIZER;CN=Henry:mailto:[email protected]
UID:1fmijtln7pfe0ccot1n4skuan4
CREATED:20241010T034159Z
DESCRIPTION:http://evil.com
LAST-MODIFIED:20241219T212644Z
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP=TRUE;CN=v4resk;X-NUM-GUESTS=0:mailto:[email protected]
LOCATION:Microsoft Teams Meeting
SEQUENCE:0
STATUS:CONFIRMED
SUMMARY:HR meeting
TRANSP:OPAQUE
END:VEVENT
END:VCALENDAR

Interesting fields can be found below

Fields
Comment

UID

UID Should be uniq and regenerated each times

ORGANIZER

The organizer can be spoofed by modifying the CN= value

ATTENDEE

You can add as many attendee as you’d like

PARTSTAT

We can force Attendees To Accept The Invite by setting PARTSTAT=ACCEPTED

DTSTART / DTEND

This properties specify the start and end times of the event

DESCRIPTION

It provides additional details about the event, and can be used to insert malicious contents / links.

hashtag
Phishing Attack

Fakemeetingarrow-up-right can be used to automate the process of creating .ICS phishing files. These invites can include a phishing URL, inside the DESCRIPTION field, crafted with a convincing pretext, encouraging the target to download a file or enter their credentials.

hashtag
Resources

https://appriver.com/resources/blog/june-2020/phishers-are-targeting-your-calendar-ics-filesappriver.comchevron-right
LogoSpam Delivered via .ICS Files - SANS Internet Storm CenterSANS Internet Storm Centerchevron-right
LogoSecurity Research | mr.d0xmrd0x.comchevron-right

Last updated