Phishing with Calendars (.ICS Files)

Theory

We can leverage calendar invites as an initial access vector, using the iCalendar (ICS) file format to create a phishing scenario.

The ICS File format is used on several Calendars like Google Calendar, Outlook, and Apple Calendar.

Practice

.ICS Format File Overview

The easiest way to get a .ics file is by creating a Google Calendar invite from one Gmail account to another and then downloading the invite.ics email attachment.

An example of an Exchange .ICS file can be found below:

.ICS Example

BEGIN:VCALENDAR
PRODID:Microsoft Exchange Server 2022
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:REQUEST
BEGIN:VTIMEZONE
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
TZNAME:GMT+2
BEGIN:STANDARD
DTSTART:19701025T030000
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID=Europe/Paris:20241224T080000
DTEND;TZID=Europe/Paris:20241224T090000
DTSTAMP:20241012T034159Z
ORGANIZER;CN=Henry:mailto:henry24@infiltr8.io
UID:1fmijtln7pfe0ccot1n4skuan4
CREATED:20241010T034159Z
DESCRIPTION:http://evil.com
LAST-MODIFIED:20241219T212644Z
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP=TRUE;CN=v4resk;X-NUM-GUESTS=0:mailto:v4resk@gmail.com
LOCATION:Microsoft Teams Meeting
SEQUENCE:0
STATUS:CONFIRMED
SUMMARY:HR meeting
TRANSP:OPAQUE
END:VEVENT
END:VCALENDAR

Interesting fields can be found below

Fields

Comment

UID

UID Should be uniq and regenerated each times

ORGANIZER

The organizer can be spoofed by modifying the CN= value

ATTENDEE

You can add as many attendee as you’d like

PARTSTAT

We can force Attendees To Accept The Invite by setting PARTSTAT=ACCEPTED

DTSTART / DTEND

This properties specify the start and end times of the event

DESCRIPTION

It provides additional details about the event, and can be used to insert malicious contents / links.

Phishing Attack

Fakemeeting can be used to automate the process of creating .ICS phishing files. These invites can include a phishing URL, inside the DESCRIPTION field, crafted with a convincing pretext, encouraging the target to download a file or enter their credentials.

# 1. Edit fakemeeting.py
# 2. execute
python fakemeeting.py

Resources

Phishers Are Targeting Your Calendar With .ics Files | AppRiver

Spam Delivered via .ICS Files - SANS Internet Storm CenterSANS Internet Storm Center

Security Research | mr.d0x

Last updated 2 months ago

Was this helpful?