EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Jensi file preview link from unsolicited sender

This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

MITRE ATT&CK

T1566.003T1598

Detection Query

type.inbound
and any(body.links,
        // jensi domain with preview link
        .href_url.domain.domain == 'app.jensi.io'
        and strings.istarts_with(.href_url.path, '/public/preview/file/')
)
// not solicited or from malicious/spam user with no FPs
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Jensi file preview link from unsolicited sender"
description: "This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender.  Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML.  This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          // jensi domain with preview link
          .href_url.domain.domain == 'app.jensi.io'
          and strings.istarts_with(.href_url.path, '/public/preview/file/')
  )
  // not solicited or from malicious/spam user with no FPs
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  
  // not from high trust sender root domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
detection_methods:
  - "Content analysis"
  - "URL analysis"
  - "Sender analysis"
id: "122b39f3-de11-53f1-8e3c-b8a1938a815e"