1.1 Calendar as an Initial Access Vector

ICS file is a text file

Begins with a header indicating the version and method of the calendar data being shared
VEVENT for calendar events,
VTODO for to-do items, and
VJOURNAL for journal entries

Organizer:

ORGANIZER;CN="John Doe":mailto:[email protected]

Timings:

DTSTART;TZID=America/New_York:20231015T090000
DTEND;TZID=America/New_York:20231015T100000

Description:

DESCRIPTION:Weekly team meeting to discuss project updates and milestones.

We can Place our malicious link in the description section of the calendar invite.

1.2 Abusing Calendars

We can use a HTML Template that mimics the Teams Meeting Invite, with the meeting link directing to an attacker domain.

Emails can be sent with this command.