My information Resource (blog.mir.net)

Document Review Detours to Legitimate Jotform Platform

Jotform is used to create online forms and apps to collect data, process payments, and automate workflows without coding. It is a versatile tool for businesses and individuals in legitimate use cases. However, Jotform can also create opportunities for threat actors to exploit it for malicious purposes, such as phishing, information gathering, and malware distribution.

Threat actors compromised the user’s account and utilized the user’s signature and organization branding to send multiple phishing emails. The emails purport to be powered by Docusign and claim to be a document for review. Depending on the campaign, the subject line indicates a file transfer notification (which differs from the message content as shown in the above image) or a named document for review.

If the “Review Documents” button is clicked, the target is directed to the Jotform platform, which displays a fake form to convince users to “install” an app. Threat actors use the sender’s organization name from the compromised account to label the form title in the web browser’s tab and app, making it appear legitimate. Installing an app to view a document is typically a red flag, especially for popular Microsoft or Adobe products and services, as many businesses currently utilize them for work assets. If the “app” is installed, it is added to the home screen and claims to open and run safely in a focused window, offer quick access options such as pinning to the taskbar or start menu, and sync across multiple devices. Additionally, the user is prompted with a Cloudflare check to verify that they are human and “activate” safe browsing features.

A Microsoft phishing page is displayed, featuring stolen branding, to trick users into entering their account credentials to review the supposed document. Another red flag is the URL because it does not contain “Microsoft” in the domain name. Instead, it includes “document365s” and uses “.com” appended with a sneaky “.de” top-level domain (TLD) to appear legitimate.