diff --git a/detection-rules/link_multistage_landing_jotform.yml b/detection-rules/link_multistage_landing_jotform.yml new file mode 100644 index 00000000000..fc7ad7f2cdb --- /dev/null +++ b/detection-rules/link_multistage_landing_jotform.yml @@ -0,0 +1,56 @@ +name: "Link: Multistage Landing - JotForm Abuse" +description: "Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites." +type: "rule" +severity: "high" +source: | + type.inbound + and length(filter(body.links, .href_url.domain.root_domain == "jotform.com")) > 0 + and any(filter(body.links, .href_url.domain.root_domain == "jotform.com"), + + // the form as been disabled + strings.icontains(ml.link_analysis(.).final_dom.inner_text, + 'This form is disabled...' + ) + // it contains suspicious elements within the extracted "appInfo" + or any(regex.iextract(ml.link_analysis(.).final_dom.raw, + 'window\.__appInfo = (?P\{[^\;]+\})\;' + ), + strings.icontains(strings.parse_json(.named_groups["appInfo"])["description"], + 'secured document' + ) + or strings.icontains(strings.parse_json(.named_groups["appInfo"])["appIconURL"], + 'pfc_clone_' + ) + or any(strings.parse_json(.named_groups["appInfo"])["items"], + // find any links that mention common "action" words + regex.icontains(.["description"], + '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)' + ) + + // inspect the linked page within the "title" + or ( + strings.icontains(.["title"], 'http') + and ( + ml.link_analysis(strings.parse_url(.["title"])).credphish.disposition == "phishing" + or ml.link_analysis(strings.parse_url(.["title"])).credphish.contains_captcha == true + or strings.istarts_with(ml.link_analysis(strings.parse_url(.["title"] + ) + ).final_dom.inner_text, + 'Verify you are human' + ) + ) + ) + ) + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "Javascript analysis" + - "URL analysis" +id: "5b64326f-e38e-558c-8b5f-d9e7ddee2f69"