Skip to content

Add "ICS Phishing" TTP to calendar/ICS rules#4344

Open
aidenmitchell wants to merge 2 commits intomainfrom
add-ics-phishing-attack-type
Open

Add "ICS Phishing" TTP to calendar/ICS rules#4344
aidenmitchell wants to merge 2 commits intomainfrom
add-ics-phishing-attack-type

Conversation

@aidenmitchell
Copy link
Copy Markdown
Member

@aidenmitchell aidenmitchell commented Apr 14, 2026
edited
Loading

Summary

  • Adds "ICS Phishing" as a value to tactics_and_techniques across 18 calendar invite / ICS phishing-related detection rules
  • Covers attachment_ics_* rules, HTML smuggling rules delivering ICS files, Google Calendar abuse, and calendar invite callback phishing rules

🤖 Generated with Claude Code

@aidenmitchell @claude
Add "ICS Phishing" attack type to calendar invite/ICS phishing rules
0a51e68 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aidenmitchell aidenmitchell requested a review from a team April 14, 2026 18:07
@aidenmitchell aidenmitchell requested a review from a team as a code owner April 14, 2026 18:07
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 14, 2026

Shared Samples Sync - Excluded

This PR contains 18 rules, which exceeds the maximum of 10 rules allowed per PR for automatic syncing.

This limit helps ensure the shared-samples environment remains manageable. If you need to test these rules, consider:

  • Splitting the PR into smaller PRs with fewer rules
  • Contacting Detection Operations to request a manual sync

@github-actions github-actions Bot added the test-rules:excluded:bulk_rules Bulk rule update, excluded from test rules label Apr 14, 2026
zoomequipd
zoomequipd previously approved these changes Apr 14, 2026
View reviewed changes
@zoomequipd zoomequipd dismissed their stale review April 20, 2026 15:29

waiting feedback from product on attack type vs ttp

@aidenmitchell @claude
Move "ICS Phishing" from attack_types to tactics_and_techniques
af1053a 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@aidenmitchell aidenmitchell changed the title Add "ICS Phishing" attack type to calendar/ICS rules Add "ICS Phishing" TTP to calendar/ICS rules Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

shared-samples:excluded:bulk_rules test-rules:excluded:bulk_rules Bulk rule update, excluded from test rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidenmitchell @zoomequipd