Link: Jensi File Preview Link from Unsolicited Sender
This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.
Sublime rule (View on GitHub)
1name: "Link: Jensi File Preview Link from Unsolicited Sender"
2description: "This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 // jensi domain with preview link
9 .href_url.domain.domain == 'app.jensi.io'
10 and strings.istarts_with(.href_url.path, '/public/preview/file/')
11
12 )
13 // not solicited or from malicious/spam user with no FPs
14 and (
15 not profile.by_sender().solicited
16 or (
17 profile.by_sender().any_messages_malicious_or_spam
18 and not profile.by_sender().any_false_positives
19 )
20 )
21
22 // not from high trust sender root domains
23 and (
24 (
25 sender.email.domain.root_domain in $high_trust_sender_root_domains
26 and not headers.auth_summary.dmarc.pass
27 )
28 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
29 )
30attack_types:
31 - "Callback Phishing"
32tactics_and_techniques:
33 - "Free file host"
34 - "Free subdomain host"
35detection_methods:
36 - "Content analysis"
37 - "URL analysis"
38 - "Sender analysis"
39id: "122b39f3-de11-53f1-8e3c-b8a1938a815e"