This detection rule identifies potential abuse of the JotForm service through the analysis of disabled forms that exhibit suspicious characteristics. The rule specifies that it will activate when an inbound type condition is met, particularly when there are links originating from the jotform.com domain. It scrutinizes the content of the forms to identify signs of exploitation, including the presence of a notification that a form has been disabled, indications of secured document messaging, and suspicious content in the app information such as cloned form markers or links that contain action-oriented verbs commonly associated with phishing. The rule checks for human verification mechanisms in the form of CAPTCHA or messages to verify user identity on linked pages. If any of these conditions are met, the rule flags the instance as a high-severity threat, indicating the potential for credential phishing attacks. It utilizes multiple analysis methods including content, HTML, JavaScript, and URL analysis for comprehensive detection.