The JNLP-File-Attachment rule detects the presence of Java Network Launch Protocol files, which are commonly used by adversaries to deliver malware through deceptive file attachments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or malware delivery attempts that leverage uncommon file types to evade traditional detection mechanisms.
KQL Query
EmailAttachmentInfo
| where FileName endswith ".jnlp"
id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
name: JNLP-File-Attachment
description: |
JNLP file extensions are an uncommon file type often used to deliver malware.
description-detailed: |
JNLP file extensions are an uncommon file type often used to deliver malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where FileName endswith ".jnlp"
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
Scenario: Legitimate Java Web Start (JNLP) File Attached in Email
Description: A user receives an email from a trusted internal team (e.g., IT Support) containing a JNLP file as part of a Java-based application deployment.
Filter/Exclusion: Check the sender’s email domain against a whitelist of trusted internal domains. Example: sender.domain == "internal-support@company.com"
Scenario: Scheduled Job Generating JNLP Files for Reporting
Description: A scheduled job runs nightly to generate JNLP files for internal reporting tools (e.g., Jaspersoft or JasperReports Server).
Filter/Exclusion: Filter by file path or process name. Example: file.path == "/opt/jasper/reports/*.jnlp" or process.name == "jasper-reports-scheduler"
Scenario: Admin Task to Deploy Java Application via JNLP
Description: An administrator is deploying a Java-based application using a JNLP file as part of a standard deployment process (e.g., using a tool like Apache JMeter or a custom deployment script).
Filter/Exclusion: Filter by user or process. Example: user.name == "admin" AND process.name == "java"
Scenario: Development Environment Using JNLP for Testing
Description: A developer is testing a Java-based application in a local development environment, which generates JNLP files as part of the build process (e.g., using Maven or Gradle).
Filter/Exclusion: Filter by source IP or file path. Example: source.ip == "192.168.1.100" or file.path == "/home/dev/project/build/*.jnlp"
Scenario: JNLP File Attached in a Legitimate Collaboration Tool
Description: A J