Contact US
Blog

Calendar Invitation Phishing? The Reality Behind the Surge of ICS File Attacks and How to Defend Against Them

Attackers have recently begun actively exploiting ICS (calendar invitation) files instead of traditional email-based phishing. Because an ICS file is a simple text-based calendar file, many security systems classify it as low-risk. Moreover, Outlook and Google Calendar automatically register schedule invitations. As a result, users can be exposed to the attack content directly through “calendar alerts,” […]

12/05/2025

Attackers have recently begun actively exploiting ICS (calendar invitation) files instead of traditional email-based phishing. Because an ICS file is a simple text-based calendar file, many security systems classify it as low-risk. Moreover, Outlook and Google Calendar automatically register schedule invitations. As a result, users can be exposed to the attack content directly through “calendar alerts,” even if they never open the email itself.

The goal of ICS-based attacks is clear: lure the user into clicking hidden URLs inside the ICS file, leading to fraudulent payment pages, account-stealing phishing sites, or remote-access tool installations. Ultimately, this is a URL-driven attack, meaning Criminal IP Domain Search can be used to verify URLs in advance and prevent threats proactively.

Why ICS (Calendar Invitation) Files Have Become a New Phishing Vector

An ICS file (generated for testing) being automatically registered as a Microsoft Teams event

An ICS file is a simple text format containing calendar information, but attackers can insert malicious elements through fields such as:

  • DESCRIPTION: Event description (most frequently abused)
  • LOCATION: Malicious URL disguised as an event location
  • URL: Phishing URL masquerading as an official event link
  • ATTACH: Base64-encoded malicious files

Attackers exploit this structure to embed threats into ICS files and use urgent phrases such as “payment expiration,” “security verification,” or “service suspension” to trick users into clicking. Because ICS files are applied to the calendar as soon as the email is received, they often bypass traditional email filtering mechanisms.

ICS Phishing Attack Flow: How Calendar Invitations Bypass Email Security

Attack flow of ICS-based phishing delivered through calendar alerts
  1. Attackers send an ICS file containing a hidden phishing URL as an email attachment.
  2. Outlook and Google Calendar automatically process the ICS file and generate an event.
  3. Even if the email is caught by a spam filter, the event may still be created.
  4. Users see the attack message via calendar alerts, not via the email body.
  5. When users click the link inside the ICS file, they are redirected to a phishing or malicious download page.

ICS phishing abuses a file format that security products often thoroughly inspect less, enabling attackers to bypass existing defenses.

Why Criminal IP Can Detect ICS-Based Phishing

Because ICS attacks are fundamentally URL-centric, they can be identified using Criminal IP Domain Search and Asset Search.

1) Detecting Malicious URLs with Domain Search

Criminal IP Domain Search interface

Criminal IP Domain Search provides indicators such as:

  • Domain creation date (newly registered or not)
  • Free/expired/self-signed SSL usage
  • Existence of HTML Forms
  • Script obfuscation and hidden elements
  • Brand impersonation via favicon hash
  • Historical malicious records (C2, phishing campaigns, etc.)
  • Abnormal WHOIS/registrar information

Since ICS files are plain text, extracting URLs allows immediate maliciousness checks.

2) Infrastructure Analysis with Asset Search

Criminal IP Asset Search interface

Servers used in ICS phishing commonly show the following patterns:

  • VPS Short-lived domains or temporary VPS
  • Low-cost hosting in the US or Europe
  • Dangerous open ports (8080/8443/8880/9000, etc.)
  • SSL mismatch or self-signed certificates
  • Signs of phishing page frameworks

Criminal IP Asset Search aggregates server ports, banners, SSL status, and risk scores, enabling investigation of the backend infrastructure used in ICS attacks.

Blocking ICS-Based Phishing in Outlook (How to Use Malicious Link Detector)

ICS files are delivered as email attachments, so the Criminal IP Outlook Add-in allows preemptive blocking of phishing URLs at the email stage.

1. Create a Criminal IP Account

Criminal IP Malicious Link Detector account creation

Sign up for Criminal IP using an email/password or Google account. The Add-in is available with a free account.

2. Install the Outlook Add-in and Log In

Criminal IP Malicious Link Detector login

After installation, click the Add-in icon on the Outlook ribbon. The right-side task pane will appear, and you can log in and begin scanning.

3. Automatic URL Scanning in Email Bodies

Criminal IP Malicious Link Detector scan result example

Once logged in, incoming emails are scanned automatically.

  • Summary of Result: Number of scanned URLs and malicious domains
  • Domain Results: Detailed analysis of each domain
  • Complete URL List: Full list of detected URLs

Recommended Organizational Countermeasures

Organizations should no longer consider ICS files “simple calendar files.” The following steps are necessary:

  1. Restrict automatic event creation; require manual approval for external invitations.
  2. Strengthen URL filtering for ICS files in Outlook and Google Workspace.
  3. Use the Criminal IP Outlook Add-in to automatically evaluate the safety of all links in emails.
  4. Continuously monitor domains exploited in ICS attacks from an attacker-infrastructure perspective.

These steps are effective not only for ICS-based threats but for all URL-driven phishing attacks.

FAQ

Q1. Can an attack occur even if the ICS file is not opened?

Yes. If Outlook/Google Calendar auto-generates the event, the user will see the attack message through calendar alerts even without opening the email.

Q2. Can ICS files contain actual malware?

Yes. The ATTACH field can contain Base64-encoded files, which have been abused to deliver malicious APK/EXE files.

Q3. Why do security solutions fail to detect ICS files?

Because ICS files are plain-text calendar files with MIME type text/calendar, many security tools classify them as low-risk.

Conclusion

ICS (calendar invitation) file phishing exposes users through calendar alerts even without opening the email, making it difficult to block with spam filtering alone. However, because the core of the attack is URL-based, verifying ICS-embedded URLs with Criminal IP Domain Search and analyzing links at the email stage with the Outlook Add-in provides an effective defense. Using both together allows organizations to block ICS phishing as well as a wide range of URL-driven attacks.

For additional details, refer to the article on Outlook: Detecting and Blocking Phishing Emails in Real-Time.

Sources: Criminal IP (https://www.criminalip.io/), Cyber Security News (https://cybersecuritynews.com/calendar-files-weaponized-as-attack-vector/#google_vignette)

Related Article: https://www.criminalip.io/knowledge-hub/notice/23812