Link: Flare-branded credential harvesting via Cloudflare tunnels

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects inbound messages that begin with 'Flare' branding (such as FlareDoc, FlareAudio, FlareBill, FlareReport) and contain links to trycloudflare.com domains. This pattern represents a consistent actor template using Cloudflare tunnels for credential harvesting operations.

Sublime rule (View on GitHub)

 1name: "Link: Flare-branded credential harvesting via Cloudflare tunnels"
 2description: "Detects inbound messages that begin with 'Flare' branding (such as FlareDoc, FlareAudio, FlareBill, FlareReport) and contain links to trycloudflare.com domains. This pattern represents a consistent actor template using Cloudflare tunnels for credential harvesting operations."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.starts_with(body.current_thread.text, 'Flare') 
 8  and any(body.links, .href_url.domain.root_domain == "trycloudflare.com")  
 9attack_types:
10  - "Credential Phishing"
11tactics_and_techniques:
12  - "Free subdomain host"
13  - "Social engineering"
14detection_methods:
15  - "Content analysis"
16  - "URL analysis"
17id: "ac81eaf3-cc29-5945-a3a8-2a57b3de441d"
to-top