Threat hunting looking for iCal events being opened by Outlook via the wcal:// protocol can show potential ways for threat actors to hold a persistent mechanism to send ever evolving calendar invite information to trick end users into phishing campaigns and potentially deliver malicious payloads.
Check out our write-up on this to see how to detect and remove the ability for this to work > https://prpltm.github.io/posts/abusing-internet-calendaring-and-scheduling-ical/
Check out our write-up on this to see how to detect and remove the ability for this to work > https://prpltm.github.io/posts/abusing-internet-calendaring-and-scheduling-ical/