ICS phishing with Jon Gaulding

limacharlie logo
LimaCharlie
Dec 19, 2025
LimaCharlie

Join us for this week's Defender Fridays as we explore ICS phishing and calendar invite abuse with John Gaulding, Full Stack Engineer at Sublime Security. John examines how attackers are weaponizing calendar invites to bypass email security defenses and create persistent attack vectors.

At Defender Fridays, we delve into the dynamic world of information security, exploring its defensive side with seasoned professionals from across the industry. Our aim is simple yet ambitious: to foster a collaborative space where ideas flow freely, experiences are shared, and knowledge expands.

What We'll Discuss
In this episode, John reveals how a technique that's been around since 2020-2021 has exploded in usage, growing approximately 20x between Q2 and Q4 of this year. He discusses how calendar invites automatically added to user calendars create a persistent attack surface that remains even after malicious emails are deleted, and why current security solutions struggle to address this technique.

Key Topics:

  • The dramatic rise of ICS phishing and why it's suddenly everywhere
  • How Google and Microsoft handle calendar invites by default and configuration options
  • Why malicious calendar invites persist even after emails are removed
  • Attack payloads paired with calendar invites including callback phishing and invoice fraud
  • Open source remediation tooling being released to help organizations clean up malicious calendar events

Register for Live Sessions
Join us every Friday at 10:30am PT for live, interactive discussions with industry experts. Whether you're a seasoned professional or just curious about the field, these sessions offer an engaging dialogue between our guests, hosts, and you – our audience.

Register here: https://limacharlie.io/defender-fridays

Subscribe to our YouTube channel and hit the notification bell to never miss a live session or catch up on past episodes on our website!

Sponsored by LimaCharlie
This episode is brought to you by LimaCharlie, the world's first SecOps Cloud Platform (SCP). Build and customize your security stack like "lego blocks" with our flexible, API-first solution.

Why LimaCharlie?

  • Eliminate vendor sprawlar and tool complexity
  • Deploy and scale effortlessly on native multi-tenant architecture
  • Reduce costs with intelligent data routing and free 1-year retention
  • Build custom solutions with 100+ security capabilities on-demand
  • Improve response times with automation and real-time capabilities

Try the SecOps Cloud Platform free: https://limacharlie.io
Learn more: https://docs.limacharlie.io

Follow LimaCharlie

Sign up for free: https://limacharlie.io
LinkedIn: https://www.linkedin.com/company/limacharlieio/
X: https://x.com/limacharlieio
Community Discourse: https://community.limacharlie.com/

Host: Maxime Lamothe-Brassard - Founder at LimaCharlie
LinkedIn: https://www.linkedin.com/in/maximelb/

#defenders #cybersecurity #phishing #emailsecurity #secops #infosec #cyberdefense

Copyright © 2026 OpsMatters™. All rights reserved.