C2 communication plays an indispensable role in cyberattacks. In response to the ever-changing online environment, C2 techniques have evolved multiple times as attackers continuously seek new ways to evade defense mechanisms. According to MITRE ATT&CK T1102, attackers leverage cloud-based office services to evade detection of suspicious connections, increasing the difficulty of defending against network traffic exploitation. However, how can we effectively utilize network traffic to identify malicious connections to Google Calendar?