this search will also produce normal activity statistics. fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.for more specific results use email parameter.

t1566
gsuite
splunk

Techniques

T1566

Sample rules

Gsuite suspicious calendar invite

source: splunk
technicques:
- T1566

Description

The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.

Detection logic

`gsuite_calendar` 
|bin span=5m _time 
|rename parameters.* as * 
|search target_calendar_id!=null email="*yourdomain.com"
| stats  count values(target_calendar_id) values(event_title) values(event_guest) by email _time 
| where count >100
| `gsuite_suspicious_calendar_invite_filter`