This is a tactic I haven’t seen before. It sends the content of the typical phishing email to users via an .ics file, so if/when they open it, it adds it to their calendar in Outlook or other compatible programs and puts the text payload in the description of the event.
This might make it necessary to just block .ics attachments at the server-level. If all the content is in the .ics attachment in email, then Spamassassin and other checks might just leave it along. Ugh.