Link: Jensi file preview link from unsolicited sender
This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.
Sublime rule (View on GitHub)
1name: "Link: Jensi file preview link from unsolicited sender"
2description: "This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 // jensi domain with preview link
9 .href_url.domain.domain == 'app.jensi.io'
10 and strings.istarts_with(.href_url.path, '/public/preview/file/')
11 )
12 // not solicited or from malicious/spam user with no FPs
13 and (
14 not profile.by_sender().solicited
15 or (
16 profile.by_sender().any_messages_malicious_or_spam
17 and not profile.by_sender().any_messages_benign
18 )
19 )
20
21 // not from high trust sender root domains
22 and (
23 (
24 sender.email.domain.root_domain in $high_trust_sender_root_domains
25 and not headers.auth_summary.dmarc.pass
26 )
27 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
28 )
29attack_types:
30 - "Callback Phishing"
31tactics_and_techniques:
32 - "Free file host"
33 - "Free subdomain host"
34detection_methods:
35 - "Content analysis"
36 - "URL analysis"
37 - "Sender analysis"
38id: "122b39f3-de11-53f1-8e3c-b8a1938a815e"