

The primary method would be by identifying expiring domains (or expired domains) that once hosted iCal files (or compromising a site hosting these files). Turning malicious #Īs we concluded our investigation into this particular case we started to think how this could be abused. This all turned out to be legitimate activity, the nysaz domain was once utilized for a Soccer program where parents could load up an iCal file to pull live updates of sporting events for their kids Soccer matches. Hxxp://The useragent associated to this activity was Microsoft Office/16.0 (Windows NT 10.0 Microsoft Outlook 7 Pro) which helped us identify the mix of iCal file being accessed & Outlook making the call. Upon further investigation we could see it was attempting to pull the following URL (this site is now dead): We can see in the image above that every 30 minutes a call was being made to nysazcom.

Upon investigation we originally assumed it would be related to Chrome Extensions gone rogue, but quickly identified via proxy logs that the users Outlook client was making the network calls. The difference between these methods is how we present the abuse & potential persistent way to continue to have a hook into a users environment via a calendar event.įor reference check out the articles below on how other threat actors are abusing iCal.ĭuring a recent investigation we identified a machine learning alert for “beacon-type” connectivity from a users asset to a gibberish/foreign registered domain hosted in international IP space.

This isn’t new #īefore publishing this article we looked around and did find that threat actors have been abusing iCal functionality for the last few years in a similar way (and in 2008 CVE-2008-1035). What makes these files interesting from a threat actor perspective is once a user imports this calendar it can be modified at-will by an attacker to change its contents, and as long as the threat actor does not make it look too suspicious, they’ll have a persistent method to push potentially malicious content to a user and have it pop Outlook reminders so the user checks the calendar event regularly. The iCal RFC provides documentation around what the files can be used for, make sure to check out RFC5545 to get an understanding of how iCal files can be constructed (hint: they’re text files). They allow for great convenience for common scenarios like sporting events where times and details may change frequently, without the end-user needing to perform any action. ICal ics are files that are created when setting up internet feed-based calendar events. Note: This entire method will require user interaction, and you may not always be able to achieve this during a campaign, make sure whatever your campaign is builds trust with the targets.

The focus of this article is about abusing iCal files (.ics extension) within Outlook. The research below was conducted by Eric Gonzalez ( and Dan Lussier ( with a special shout out to Sam Ferguson ( All content is for educational purposes and focuses on all aspects (investigation, weaponizing, detection & mitigation).
