Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure

calendar Apr 6, 2026  ·
Share on: linkedin copy

Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.

Sublime rule (View on GitHub)

 1name: "Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure"
 2description: "Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(recipients.to) == 1
 8  and recipients.to[0].email.domain.valid
 9  and any(body.links,
10          // eviltokens cloudflare workers domain struct
11          (
12            strings.iends_with(.href_url.domain.domain, '-account.workers.dev')
13            and regex.icontains(.href_url.domain.domain,
14                                '^(?:(?:page-)?adobe|calendar_invite|(?:page-)?docusign|fax|quarantine|onedrive|page-password|sharepoint|voicemail|index)-[a-z0-9]{3}\.[a-z0-9-]{3,}'
15            )
16          )
17  )  
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Impersonation: Brand"
22  - "Evasion"
23  - "Social engineering"
24detection_methods:
25  - "URL analysis"
26id: "c7e2906c-1e51-5afd-93de-b79ba3dff278"
to-top