How .ICS Attachments Become Malicious

Originally published March 14, 2021

In the ongoing and ever-evolving battle against hackers, it’s come down to this: even responding to a calendar meeting invite can give hackers the in-depth knowledge they need to wreak digital havoc on your business. How? Through .ICS attachments.

Let’s dig into what .ICS attachments are, how hackers are able to exploit them, and how Votiro can ensure your organization stays proactively protected. 

What is an .ICS File?

.ICS files were introduced in 1998, and they are different from email invitations in that they push themselves into calendar apps. .ICS attachments are one of the few file formats that are capable of doing that, and the fact that they are common to major calendar apps on all platforms gives hackers an extra edge in spreading malware. All it takes is one contaminated invitation, and you can infect a whole company.

So, how can a simple meeting invite become malicious? Unfortunately, hackers have found ways to carry out DDE attacks in the past, in which Microsoft allows two running applications to share the same data. This particular vulnerability is based on .ICS attachments, and the DDE protocol hackers are exploiting can be used by applications for one-time data transfers and continuous exchanges in which apps send updates to one another as new data becomes available. Thousands of applications use the DDE protocol, including Microsoft’s Excel, MS Word, Quattro Pro, and Visual Basic. Previous research also indicated that hackers used .ICS files to hook into applications and to carry out zero-footprint attacks that are essentially undetectable to standard security systems. Five years later, hackers have only gotten better at what they do, even leveraging AI to make threats easier to duplicate and implement.

How Hackers Exploit .ICS Attachments

Hackers have increasingly turned to .ICS calendar files as a stealthy way to deliver malware or phishing links, often through Outlook, where these files are treated with implicit trust. Unlike standard emails that require users to open them, .ICS invites are automatically added to users’ calendars as “tentative” appointments. This reduces friction and increases the chances of engagement.

Invitations often include Base64-encoded attachments or links to external files (via the URI property), which can contain or trigger malware once clicked or opened. A common technique involves embedding a malicious Word or Excel file (with macro-based payloads) as an attachment. Once the user accepts the invite or forwards it, the threat propagates.

Beyond attachments, .ICS files include several structured fields that attackers can abuse:

• DESCRIPTION: Can include phishing URLs disguised as meeting info.
• LOCATION: Clickable URLs here can lead users to fake login pages or malware downloads.
• ATTACH: Points to external files that may be malicious, or embeds payloads directly.
• ORGANIZER/ATTENDEE: Spoofed sender identities make invites look legitimate.

Because antivirus engines typically don’t inspect .ICS files deeply, they often slip through filters and reach user calendars unchallenged. What was once a tool for sending harmless spam has evolved into a subtle but effective method for distributing malware, credential stealers, and other threats, especially when combined with social engineering.

Real-World Example: The Weaponized Meeting Invite

In a previous phishing campaign analyzed by Cofense, attackers exploited .ICS calendar invites in a clever and stealthy way. The invitation, sent from a compromised school‑district email account, contained a link to a document hosted on Microsoft SharePoint. Clicking through took recipients to a site resembling a Wells Fargo login page. The phishing site coaxed users into entering sensitive information such as login credentials, PIN, and account numbers, before redirecting them to the real Wells Fargo site to mask the attack. The ICS format and trusted SharePoint hosting allowed the campaign to bypass email filters and lure victims with a false appearance of legitimacy.

Similarly, cybercriminals also leveraged Google Calendar invites in phishing campaigns. The Register reports that attackers send .ICS files masquerading as legit meeting invites. These invites include links to Google Forms or Drawings; clicking prompts a fake reCAPTCHA or support button, ultimately leading victims to a cryptocurrency-related financial scam page. The invites are crafted with spoofed sender headers, making them appear as though they’re coming from someone the recipient knows, so they bypass standard email filters and appear in the user’s actual calendar. Wired also reports the rise of threats to Google Calendar invites via means like .ICS, illustrating the danger these invites pose when not paired with a zero-trust security solution.

Steering Clear of Malicious .ICS Files with Votiro

So, does this mean the end of calendar invites? Not at all. With Votiro, the .ICS threat is a non-issue. Using our unique CDR technology, every file is broken down into its distinct components and analyzed against strict file format specifications. In the case of .ICS files, which means checking each field, like embedded links, attachments, and metadata for anything that doesn’t belong.

Those elements are excluded if the file contains non-standard code, suspicious URLs, or attachments that don’t match known-safe patterns. The result? A fully functional meeting invitation that retains all the legitimate content, but none of the risk. The user still sees the invite, but any malicious payload, like weaponized attachments or phishing links, is quietly removed before it ever reaches their calendar. This process, known as file sanitization, neutralizes the threat without disrupting productivity or tipping off the attacker.

Antivirus programs can’t ensure your organization stays free from these threats, and all the best sandboxes can do is arrest the .ICS invitation altogether (if there is a rule for that), making .ICS files useless. The point of .ICS is to be able to install invitations in a calendar automatically. If the invitations don’t get to the recipient as a calendar file, there’s no point in sending them. With Votiro, users are protected, and business flow is uninterrupted. When your organization implements our technology, invitations are once again something to be accepted, not feared.

Want to see it in action? Book a demo and experience how Votiro sanitizes ICS threats in real time.