Hub Intel Log // 007
Published: Feb 04, 2026

Micosoft Mail attachments

Mail attachment malware is either malicious code hidden in files (PDFs, docs, ZIPs for example) that, when opened, infect systems with ransomware, spyware, or viruses. Often disguised as invoices, shipping notices, or invoices, these attachments exploit software vulnerabilities to download payloads. Usually, the malware that is first downloaded is a sort of dropper, used to infiltrated larger malicious files onto the device before further execution.

Introduction

You can use dynamic analysis, to edit things, which analysis uses behaviour-based detection capabilities instead of relying on the use of signatures. Performing automated dynamic analysis of attachments run in a sandbox may detect suspicious behaviour including network traffic, new or modified files, or changes to the Windows registry. This is useful, but takes time. This analysis can usually be done in a sandbox, or deep packet inspection can take place also.

Summary

How can you code a mail attachment that is able to execute code? Well, the answer is slightly more simple than you might imagine!

Filetype .ics has more information than simply time and place, and can be engineered to create content.

An ICS file (iCalendar) is a universal, plain-text format for sharing digital calendar data, allowing events, meetings, or tasks to be easily imported and exported between different calendar applications like Google Calendar, Outlook, and Apple Calendar, ensuring everyone sees the same details (time, location, description) regardless of their software. You typically get one as an email attachment or download, then open it with a double-click to add the event directly to your calendar. In this way, executable software can run.

They usually look like this:

        
                BEGIN:VCALENDAR
                VERSION:2.0
                PRODID:-//Your Company//NONSGML Event//EN
                BEGIN:VEVENT
                UID:uid1@example.com
                DTSTAMP:20260205T210000Z
                DTSTART:20260325T203000Z
                DTEND:20260325T213000Z
                SUMMARY:Event Title
                DESCRIPTION:Event Description!
                END:VEVENT
                END:VCALENDAR

This has the following structure:

  • BEGIN:VCALENDAR and END:VCALENDAR: Encapsulate the entire calendar data.
  • VERSION:2.0: Specifies the iCalendar version.
  • PRODID: Identifies the creator of the file.
  • BEGIN:VEVENT and END:VEVENT: Define a single event.
  • UID: A unique identifier for the event (important for updates).
  • DTSTAMP: The date/time when the file was created (in UTC format, Z indicates UTC).
  • DTSTART and DTEND: The start and end date/time of the event (also in UTC format, or with a specified timezone).
  • SUMMARY: The title of the event.
  • DESCRIPTION: A description of the even

Its a textfile format, which when saved from .txt to .ics becomes a set of instructions for many calendar apps like Teams, Google, and Apple Mail. And, any of the fields can be edited to contain further information on the type of attachments, such as PROID can be used to include the below:

        
        DESCRIPTION:Meeting for the induction phase of your project. 
        Please click the link below to join the meeting.
        # hide the malicious 
        END:VEVENT
        END:VCALENDAR

Prevention

An increase in the use of macros in Microsoft Office files being used as a malware delivery vector has been observed. These macros are written in the Visual Basic for Applications (VBA) programming language, a feature built into Microsoft Office applications. Macros are commonly used for task automation; however, malicious actors are also using macros to perform a variety of malicious activities including the download and execution of malware on the host computer. It is a good idea to remove VBA scripts from execution lists and permission groups.

Basically, this file strcuture can be used to create a simple text file, and then converted to .ics file once it has been written. Once this has finished, you could edit it as these files can execute code. At this stage, attackers would usually provide a link to a dropper. This is useful after connection has been established, because more larges packages can create more initial traffic and could potentially generate an alert.

One of the ways this was noticed was during this cyber event recently (see links below). By using a certificate that was trusted, the hackers were able to fake an invite using a compormised certificate which allowed them access to an application. When the user tried to click on it and use it they were able to run it, because Microsoft still trusted the vendors' certificate and the signed application.

In doing so, attackers were able to steal a trusted certificate off an application and then bypass security by authenticating with the stolen token. Because the stolen token is still trusted by Microsoft, any application that is signed with this seal is able to run and won't automatically be closed down. In an example below, it was seen that a multi-stage attack was successful due to their use of this attack.

    
    {
      "subject": "Project Sync Meeting",
      "isOnlineMeeting": true,
      "onlineMeetingProvider": "teamsForBusiness",
      "start": {
        "dateTime": "2026-03-01T10:00:00",
        "timeZone": "Pacific Standard Time"
      },
      "end": {
        "dateTime": "2026-03-01T11:00:00",
        "timeZone": "Pacific Standard Time"
      },
      "attendees": [
        {
          "emailAddress": {
            "address": "jane.doe@example.com",
            "name": "Jane Doe"
          },
          "type": "required"
        },
        {
          "emailAddress": {
            "address": "john.smith@example.com",
            "name": "John Smith"
          },
          "type": "optionals"
        }
      ]
    }

Microsoft provides editing informaiton readily regarding attachments and personalisation, but unfortunately that can be used in more than one way:

Navigate to the Teams admin center

the left navigation, expand Meetings > Meeting settings.

Under Email invitation, do the following:

Best practise to avoid includes the following:

  • Use email filtering to block attachments from unknown senders.
  • Educate users about the dangers of opening attachments from unknown senders.
  • Use antivirus software to scan attachments before they are opened.
Mail attachments can be edited to that an .ics file, which seems to have a list of peope who are attending, and a link to a meeting, can be used to execute code. This is a very simple attack vector, and is often used in phishing campaigns, especialy to vulnerable people within the organisation such as someone who is just starting as an intern or hire. It is important to be aware of this, and to take steps to prevent it from happening, especially since default settings in a lot of accounts allow this "adding invites" to calenders automatically. This can include using email filtering, educating users about the dangers of opening attachments from unknown senders, and using antivirus software to scan attachments before they are opened.

References

[1] Cyber Government, 2023, https://www.cyber.gov.au/sites/default/files/2023-03/PROTECT%20-%20Malicious%20Email%20Mitigation%20Strategies%20%28October%202021%29.pdf

[2] Microsoft Safe Attachments, https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about

[3] iCal, https://ical.marudot.com/

[4] https://learn.microsoft.com/en-us/microsoftteams/customize-meeting-invitations

[5] https://www.bleepingcomputer.com/news/security/malware-delivered-via-teams-meeting-invitations/

[6] Permiso Inc, Sliding into your DMS: https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery

Return to Intelligence Hub