Link: Multistage landing - JotForm abuse

calendar Oct 17, 2025  ·
Share on: linkedin copy

Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - JotForm abuse"
 2description: "Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(filter(body.links, .href_url.domain.root_domain == "jotform.com")) > 0
 8  and any(filter(body.links, .href_url.domain.root_domain == "jotform.com"),
 9          // the form as been disabled
10          strings.icontains(ml.link_analysis(.).final_dom.inner_text,
11                            'This form is disabled...'
12          )
13          // lure to open a document with phishing intent
14          or (
15            any(ml.link_analysis(.).final_dom.links,
16                regex.icontains(.display_text, "VIEW DOCUMENT ONLINE")
17                and ml.link_analysis(.href_url).credphish.disposition == "phishing"
18            )
19          )
20          // it contains suspicious elements within the extracted "appInfo"
21          or any(regex.iextract(ml.link_analysis(.).final_dom.raw,
22                                'window\.__appInfo = (?P<appInfo>\{[^\;]+\})\;'
23                 ),
24                 // the title/description/name contains suspicious keywords
25                 any([
26                       strings.parse_json(.named_groups["appInfo"])["title"],
27                       strings.parse_json(.named_groups["appInfo"])["description"],
28                       strings.parse_json(.named_groups["appInfo"])["name"]
29                     ],
30                     strings.icontains(., 'secured document')
31                     or strings.icontains(., 'Adobe PDF')
32                 )
33                 or any(strings.parse_json(.named_groups["appInfo"])["items"],
34                        // find any links that mention common "action" words
35                        any([.["description"], .["title"]],
36                            regex.icontains(.,
37                                            '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
38                            )
39                        )
40  
41                        // inspect the linked page within the "buttonValue" or .title contains a link
42                        or (
43                          any([.["buttonValue"], .["title"]],
44                              strings.icontains(., 'http')
45                              and (
46                                ml.link_analysis(strings.parse_url(.)).credphish.disposition == "phishing"
47                                or ml.link_analysis(strings.parse_url(.)).credphish.contains_captcha == true
48                                or strings.istarts_with(ml.link_analysis(strings.parse_url(.
49                                                                         )
50                                                        ).final_dom.inner_text,
51                                                        'Verify you are human'
52                                )
53                              )
54                          )
55                        )
56                 )
57          )
58  )  
59attack_types:
60  - "Credential Phishing"
61tactics_and_techniques:
62  - "Evasion"
63  - "Social engineering"
64detection_methods:
65  - "Content analysis"
66  - "HTML analysis"
67  - "Javascript analysis"
68  - "URL analysis"
69id: "5b64326f-e38e-558c-8b5f-d9e7ddee2f69"
to-top