Why .ICS Files Are the New Blind Spot in Email Security
April 11, 2026 Newsletter
Why .ICS Files Are the New Blind Spot in Email Security
Attackers are turning one of the most trusted workplace tools – calendar invitations – into a high-success attack vector that slips past traditional email defenses.
A recent analysis from CyberSecurityNews breaks down how iCalendar (.ics) files are being abused at scale to deliver phishing, malware, and even zero-day exploits while evading Secure Email Gateways (SEGs) and endpoint tools. Cyber Security News
This post distills the key points and implications.
From “Benign Text” to High-Yield Attack Vector
The iCalendar format (RFC 5545) was designed as a simple, text-based standard for scheduling across Outlook, Google Calendar, Apple iCal, and other platforms. That simplicity and interoperability are exactly what makes it attractive to attackers.
Calendar-based phishing has become the third most common email social engineering vector.
Malicious .ics files achieve a 59% bypass rate against Secure Email Gateways.
Campaigns have hit hundreds of organizations, delivering thousands of malicious invites.
Most security stacks still treat .ics as “low risk text,” which means they rarely receive the same inspection as executables, Office files with macros, or archives.
How Attackers Abuse .ICS Structure
An .ics file is just structured text, but almost every field can be turned into an attack surface.
DESCRIPTION and LOCATION fields
Can hold clickable URLs.
Used to redirect users to credential phishing pages disguised as legitimate login or support portals.
ATTACH property
Supports both URIs and base64-encoded binary content.
Enables direct embedding of malware payloads (executables, scripts, DLLs) inside calendar files.
NCC Group showed that when an ATTACH points to a URI, that file can be silently pulled in and embedded when invites are exported or forwarded, opening paths for stealthy data exfiltration.
ORGANIZER and ATTENDEE fields
Used for sender spoofing and authority impersonation.
Invites often originate from legitimate Google or Microsoft infrastructure and therefore pass SPF, DKIM, and DMARC, which boosts trust and bypass rates.
Because the MIME type is text/calendar, many filters classify these files as low-risk and never parse the inner content for URLs or encoded payloads.
Why Traditional Email Defenses Miss Calendar Attacks
Several systemic weaknesses converge here:
Limited content inspection
Most SEGs and endpoint filters do not deeply parse BEGIN:VCALENDAR content, ATTACH fields, embedded HTML, or base64 data inside .ics files.
Automatic event creation
Outlook and Google Calendar can auto-process .ics attachments and create tentative events even if users never open the original email or if the email is quarantined.
This “invisible click” means malicious links show up as normal calendar events and reminders, not as suspicious emails.
Persistence beyond quarantine
Research from Sublime Security shows that even when the original email is quarantined, the associated calendar entry can remain active, giving attackers a second opportunity and extending the attack window.
Result: calendar invitations become a stealthy delivery channel embedded into users’ daily workflow, driving much higher click-through rates than standard phishing emails.
Real-World Exploitation Campaigns
The article highlights multiple campaigns that show how far adversaries are pushing this vector.
1. Zimbra Zero-Day (CVE-2025-27915)
A stored XSS flaw in Zimbra Collaboration Suite (versions 9.0–10.1) allowed attackers to execute arbitrary JavaScript from malicious .ics files.
Exploit used the
Detected in January 2025, it was used against Brazilian military organizations via spoofed emails pretending to come from the Libyan Navy’s Office of Protocol.
The .ics files carried large base64-encoded JavaScript payloads that:
Waited 60 seconds before execution.
Used a three-day time gate to avoid sandboxes.
Hid UI elements to avoid suspicion.
Stole credentials, monitored activity, logged users out to capture logins, and exfiltrated email via Zimbra’s SOAP API every four hours.
CISA later added this CVE to its Known Exploited Vulnerabilities catalog, and TTPs resembled known state-aligned threat group UNC1151.
2. Google Calendar Phishing and C2 Abuse
Check Point observed a campaign delivering 4,000+ spoofed invites to ~300 organizations in a month.
Invites were crafted to appear as though they were sent via Google Calendar on behalf of trusted contacts, and passed standard email authentication checks.
Attackers initially abused Google Forms links, then pivoted to Google Drawings when detection increased.
Lures led to:
Fake support pages and bogus reCAPTCHA prompts.
Credential harvesting pages targeting logins, payment data, and personal information.
Related activity:
Cofense documented .ics invites from compromised school district accounts leading to SharePoint-hosted links and Wells Fargo phishing pages that asked for banking credentials and PINs.
State-sponsored abuse:
Google Threat Intelligence Group reported Chinese APT41 using malware with Google Calendar as a command-and-control (C2) channel.
Calendar events with hard-coded dates carried encrypted exfiltrated data and commands in event descriptions, allowing C2 traffic to blend into normal cloud activity.
3. Microsoft Outlook Calendar Exploits
Attackers have abused the Dynamic Data Exchange (DDE) protocol via calendar invite bodies to trigger command execution when users open the invite and click through prompts.
Microsoft patched CVE-2023-35636 in December 2023, which allowed NTLMv2 hash leakage via malicious calendar invites with a single click.
A newer Outlook flaw, CVE-2025-32705, enables remote code execution by exploiting improper memory handling and oversized ICS elements.
The risk is higher in environments using Outlook preview features, where simply viewing a message or invite can trigger parsing.
Defensive Priorities for Calendar-Based Threats
The article closes with clear defensive themes: calendar content can no longer be treated as benign.
Core priorities:
Treat .ics as active content
Classify calendar files as high-risk objects requiring the same scrutiny as executables and scripts.
Ensure email security solutions and CDR tools can parse text/calendar, inspect ATTACH fields, decode base64, and analyze embedded HTML/URLs.
Remediate emails and calendar objects together
Use capabilities (like those offered by Sublime Security) that remove calendar events when associated emails are quarantined, closing the “dual-payload” gap.
Harden calendar defaults in cloud suites
Google Workspace: configure Calendar to only auto-add invitations from known senders or invites users explicitly accept.
Microsoft 365 / Exchange Online:
Disable automatic processing (AutomateProcessing = None).
Quarantine or adjust policy for .ics from external senders.
Disable auto-preview where feasible.
Microsoft Teams: tighten meeting policies, restrict anonymous join, and leverage brand impersonation and phishing protections as they roll out.
Monitor for anomalous calendar behavior
Look for unusual volumes of invites from external or newly observed domains.
Track recurring patterns of events with suspicious URLs, odd descriptions, or repeated ATTACH behavior.
Elevate user awareness around calendar invites
Calendar reminders and meeting requests need the same zero-trust scrutiny as emails, especially when they request credentials, payment changes, or sensitive actions.
Calendar weaponization represents a structural shift in attacker strategy: instead of fighting hardened email channels head-on, they are moving into the blind spots of collaboration platforms. With high SEG bypass rates, active exploitation of zero-days, and abuse by both financially motivated actors and state groups, .ics files now belong on every organization’s high-risk object list.
Stay ahead of evolving threats with expert insights
Subscribe to our newsletter to keep you updated on the latest cybersecurity insights & resources.
One follow-up from a security expert—no spam, ever.