Inspect iCalendar (.ics) X-ALT-DESC HTML content for phishing payloads
We experienced a targeted phishing campaign where the entire payload — branded impersonation, QR code, credential harvesting links — was embedded in the X-ALT-DESC HTML field of an .ics calendar attachment. The email body was empty. Inky classified it PCL:4 and delivered to inbox. EOP independently scored the same campaign SCL:9 for a different recipient whose copy bypassed Inky routing.
Three requests:
Parse .ics X-ALT-DESC HTML with the same depth as email body content — link extraction, brand impersonation, computer vision, AI analysis
Flag suspicious .ics structure — the attachment was padded with dozens of bogus X-headers containing random hex strings, a clear obfuscation pattern
Explore a fallback model for EOP verdicts — currently re-injection sets SCL:-1 unconditionally, which overrode EOP's SCL:9 quarantine decision. When Inky misses, there's no safety net.
Inky support confirmed the .ics gap and the SCL override behavior is by design. Submitted as a feature request per their recommendation.
Please authenticate to join the conversation.
In Review
Email Security
About 2 months ago
Joel Stigliano
Subscribe to post
Get notified by email when there are changes.
In Review
Email Security
About 2 months ago
Joel Stigliano
Subscribe to post
Get notified by email when there are changes.