Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

PhishINvite with Malicious ICS Files

In an earlier blog entitled “Phishing in the Cloud”, we outlined that threat actors are actively crafting multi-stage phishing campaigns utilizing online cloud services and are continuously finding ways to make their spams more evasive to email gateways and link scanners.

The first stage of the multi-stage phishing campaign is a sometimes a well-crafted email, mostly spoofing an organization. The email often contains a link pointing to a cloud service hosting a malicious or fake document. On rare occasions, the link can be found in an attachment, just like a recent campaign we present in this blog.

The Phishing Campaign

The phishing emails in this campaign, allege to be from the security team of certain organizations, make use of the “account suspension” theme to lure the recipient in opening the attachment. The text in the body of the emails are identical except for the signature part – the organization the spammers are trying to mimic.

The attachment “You Have A New Message.ics” is an iCalendar, a plain text file containing calendaring and scheduling information. ICS is one of the common filetypes of attachments on legitimate emails but is also sometimes abused, as it is here.

Figure 1: The phishing email with iCalendar attachment


The ICS file attached to the email is poorly constructed as the title and description of the event are not particularly coherent. The description just instructs the recipient to click or open the Sharepoint link contained in the calendar file. Based on the Sharepoint URL’s structure, since it contains “:b” in the path, the link will lead to a PDF file, as below.

Figure 2: A Malicious PDF hosted on SharePoint contains a link to a Google Cloud Storage


Just like the emails, the PDF samples we collected in this campaign look like one another except for the logo and name of the organization the threat actors are spoofing. The text in the PDFs is just a reiteration of that in the email bodies.

A link to an HTML object hosted on Google Cloud Storage, disguised as the security key, is embedded in the PDF file. When the link in Figure 2 is clicked, the browser outright performs the redirection. No security alert about redirection is offered, in contrast to downloading and opening the PDF file in Adobe Reader, where you would be presented with a warning. The process is seamless, the user may not recognize, nor care, they are viewing a PDF in the browser.

Figure 3: The phishing site spoofing Wells Fargo
Figure 4: The phishing site spoofing Fifth Third Bank


Finally, the embedded link in the PDF file leads to a credential harvesting phishing page hosted in Google cloud. The credentials gathered by this phish are being posted to newly created domains registered under Namecheap.


Employing a popular type of file as an attachment to malicious emails is a common trick by cybercriminals to boost the success rate of their cyber-attacks. As iCalendars files are not included in the list of automatically blocked attachments by email clients like Outlook, the possibility of the maliciously crafted iCalendar falling to the targets’ mailbox is increased.

Hosting the fake documents, malicious files, and phishing pages at cloud services instead of attaching them to the email is used more and more by the threat actors to evade email scanners. In addition, by utilizing PDFs on such platforms, threat actors don’t have to deal with the security settings of the on-premise applications like Adobe Reader, as the PDFs will be seamlessly opened, and links clicked by users redirected, without warning by browsers.

Cyber-attacks often start with phishing. The information obtained through credential phishing sites can be utilized in a more targeted and sophisticated attack on the victim or the organization they belong to. We advise all users to be careful before clicking on any URLs and check their browser’s address bar before submitting credentials to any login form.

The Trustwave Secure Email Gateway (SEG) detects these phishing messages and we are continuously watching this evolving “phishing in the cloud” scenario.



53rd Message.pdf (67061 bytes) SHA1: 15548D6043623427E486B287C9A7A7789D2C6EC5
WELLS FARGO.pdf (66492 bytes) SHA1: 9918F6FF1C00266B303F772D0060C9F25BDCFB67


Related SpiderLabs Blogs