Medium Severity

Link: Jensi File Preview Link from Unsolicited Sender

Labels

Callback Phishing

Free file host

Description

This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

References

No references.

Sublime Security

Created Oct 2nd, 2024 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        // jensi domain with preview link
        .href_url.domain.domain == 'app.jensi.io'
        and strings.istarts_with(.href_url.path, '/public/preview/file/')

)
// not solicited or from malicious/spam user with no FPs
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.