Link: Credential theft with Cloudflare tunnel and recipient targeting

calendar Jun 10, 2026  ·
Share on: linkedin copy

Detects messages containing credential theft language and links to trycloudflare.com tunnels that include the recipient's email address in the URL path, indicating personalized targeting for credential harvesting.

Sublime rule (View on GitHub)

 1name: "Link: Credential theft with Cloudflare tunnel and recipient targeting"
 2description: "Detects messages containing credential theft language and links to trycloudflare.com tunnels that include the recipient's email address in the URL path, indicating personalized targeting for credential harvesting."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name == 'cred_theft' and .confidence != 'low'
 9  )
10  and any(body.current_thread.links,
11          .href_url.domain.root_domain == 'trycloudflare.com'
12          and strings.icontains(.href_url.path, recipients.to[0].email.email)
13  )  
14
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Social engineering"
19  - "Evasion"
20detection_methods:
21  - "Natural Language Understanding"
22  - "Content analysis"
23  - "URL analysis"
24id: "4d8919dd-238a-5381-b683-b4f5078e00da"
to-top