From 4ca0cfd73166ec2d2fb5b092064b39c77115d975 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 11 Jun 2025 10:13:03 -0500 Subject: [PATCH 1/3] Create link_multistage_landing_jotform.yml --- .../link_multistage_landing_jotform.yml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 detection-rules/link_multistage_landing_jotform.yml diff --git a/detection-rules/link_multistage_landing_jotform.yml b/detection-rules/link_multistage_landing_jotform.yml new file mode 100644 index 00000000000..bb7f1b0ce39 --- /dev/null +++ b/detection-rules/link_multistage_landing_jotform.yml @@ -0,0 +1,55 @@ +name: "Link: Multistage Landing - JotForm Abuse" +description: "Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites." +type: "rule" +severity: "" +source: | + type.inbound + and length(filter(body.links, .href_url.domain.root_domain == "jotform.com")) > 0 + and any(filter(body.links, .href_url.domain.root_domain == "jotform.com"), + + // the form as been disabled + strings.icontains(ml.link_analysis(.).final_dom.inner_text, + 'This form is disabled...' + ) + // it contains suspicious elements within the extracted "appInfo" + or any(regex.iextract(ml.link_analysis(.).final_dom.raw, + 'window\.__appInfo = (?P\{[^\;]+\})\;' + ), + strings.icontains(strings.parse_json(.named_groups["appInfo"])["description"], + 'secured document' + ) + or strings.icontains(strings.parse_json(.named_groups["appInfo"])["appIconURL"], + 'pfc_clone_' + ) + or any(strings.parse_json(.named_groups["appInfo"])["items"], + // find any links that mention common "action" words + regex.icontains(.["description"], + '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)' + ) + + // inspect the linked page within the "title" + or ( + strings.icontains(.["title"], 'http') + and ( + ml.link_analysis(strings.parse_url(.["title"])).credphish.disposition == "phishing" + or ml.link_analysis(strings.parse_url(.["title"])).credphish.contains_captcha == true + or strings.istarts_with(ml.link_analysis(strings.parse_url(.["title"] + ) + ).final_dom.inner_text, + 'Verify you are human' + ) + ) + ) + ) + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "Javascript analysis" + - "URL analysis" From 5693c353ef2d68ad8cfe1a87b4d9a1bf9477c990 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 11 Jun 2025 10:15:26 -0500 Subject: [PATCH 2/3] Update link_multistage_landing_jotform.yml --- detection-rules/link_multistage_landing_jotform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_multistage_landing_jotform.yml b/detection-rules/link_multistage_landing_jotform.yml index bb7f1b0ce39..941fb5a6dc2 100644 --- a/detection-rules/link_multistage_landing_jotform.yml +++ b/detection-rules/link_multistage_landing_jotform.yml @@ -1,7 +1,7 @@ name: "Link: Multistage Landing - JotForm Abuse" description: "Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites." type: "rule" -severity: "" +severity: "high" source: | type.inbound and length(filter(body.links, .href_url.domain.root_domain == "jotform.com")) > 0 From 3f29784876f7d3a9ef8f1fb10bbd76f57dbe97a4 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 11 Jun 2025 15:15:53 +0000 Subject: [PATCH 3/3] Auto add rule ID --- detection-rules/link_multistage_landing_jotform.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_multistage_landing_jotform.yml b/detection-rules/link_multistage_landing_jotform.yml index 941fb5a6dc2..fc7ad7f2cdb 100644 --- a/detection-rules/link_multistage_landing_jotform.yml +++ b/detection-rules/link_multistage_landing_jotform.yml @@ -53,3 +53,4 @@ detection_methods: - "HTML analysis" - "Javascript analysis" - "URL analysis" +id: "5b64326f-e38e-558c-8b5f-d9e7ddee2f69"