Ctrlk
Infiltr8ForumGitHub
For the complete documentation index, see llms.txt. This page is also available as Markdown.
Edit

Phishing with Calendars (.ICS Files)

Theory

We can leverage calendar invites as an initial access vector, using the iCalendar (ICS) file format to create a phishing scenario.

The ICS File format is used on several Calendars like Google Calendar, Outlook, and Apple Calendar.

Practice

.ICS Format File Overview

The easiest way to get a .ics file is by creating a Google Calendar invite from one Gmail account to another and then downloading the invite.ics email attachment.

An example of an Exchange .ICS file can be found below:

.ICS Example
BEGIN:VCALENDAR
PRODID:Microsoft Exchange Server 2022
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:REQUEST
BEGIN:VTIMEZONE
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
TZNAME:GMT+2
BEGIN:STANDARD
DTSTART:19701025T030000
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID=Europe/Paris:20241224T080000
DTEND;TZID=Europe/Paris:20241224T090000
DTSTAMP:20241012T034159Z
ORGANIZER;CN=Henry:mailto:henry24@infiltr8.io
UID:1fmijtln7pfe0ccot1n4skuan4
CREATED:20241010T034159Z
DESCRIPTION:http://evil.com
LAST-MODIFIED:20241219T212644Z
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP=TRUE;CN=v4resk;X-NUM-GUESTS=0:mailto:v4resk@gmail.com
LOCATION:Microsoft Teams Meeting
SEQUENCE:0
STATUS:CONFIRMED
SUMMARY:HR meeting
TRANSP:OPAQUE
END:VEVENT
END:VCALENDAR

Interesting fields can be found below

Fields
Comment

UID

UID Should be uniq and regenerated each times

ORGANIZER

The organizer can be spoofed by modifying the CN= value

ATTENDEE

You can add as many attendee as you’d like

PARTSTAT

We can force Attendees To Accept The Invite by setting PARTSTAT=ACCEPTED

DTSTART / DTEND

This properties specify the start and end times of the event

DESCRIPTION

It provides additional details about the event, and can be used to insert malicious contents / links.

Phishing Attack

Fakemeeting can be used to automate the process of creating .ICS phishing files. These invites can include a phishing URL, inside the DESCRIPTION field, crafted with a convincing pretext, encouraging the target to download a file or enter their credentials.

Resources

LogoAppRiver is now OpenText CybersecurityOpenText Cybersecurity
LogoSpam Delivered via .ICS Files - SANS Internet Storm CenterSANS Internet Storm Center
LogoSecurity Research | mr.d0xmrd0x.com

Last updated