type.inbound
and length(filter(body.links, .href_url.domain.root_domain == "jotform.com")) > 0
and any(filter(body.links, .href_url.domain.root_domain == "jotform.com"),
// the form as been disabled
strings.icontains(ml.link_analysis(.).final_dom.inner_text,
'This form is disabled...'
)
// lure to open a document with phishing intent
or (
any(ml.link_analysis(.).final_dom.links,
regex.icontains(.display_text, "VIEW DOCUMENT ONLINE")
and ml.link_analysis(.href_url).credphish.disposition == "phishing"
)
)
// it contains suspicious elements within the extracted "appInfo"
or any(regex.iextract(ml.link_analysis(.).final_dom.raw,
'window\.__appInfo = (?P<appInfo>\{[^\n]+\})\;\n'
),
// the title/description/name contains suspicious keywords
any([
strings.parse_json(.named_groups["appInfo"])["title"],
strings.parse_json(.named_groups["appInfo"])["description"],
strings.parse_json(.named_groups["appInfo"])["name"]
],
strings.icontains(., 'secured document')
or strings.icontains(., 'Adobe PDF')
)
or any(strings.parse_json(.named_groups["appInfo"])["items"],
// find any links that mention common "action" words
any([.["description"], .["title"]],
regex.icontains(.,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
)
// inspect the linked page within the "buttonValue" or .title contains a link
or (
any([.["buttonValue"], .["title"]],
strings.icontains(., 'http')
and (
ml.link_analysis(strings.parse_url(.)).credphish.disposition == "phishing"
or ml.link_analysis(strings.parse_url(.)).credphish.contains_captcha == true
or strings.istarts_with(ml.link_analysis(strings.parse_url(.
)
).final_dom.inner_text,
'Verify you are human'
)
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.