High Severity

Link: Credential theft with Cloudflare tunnel and recipient targeting

Labels

Credential Phishing
Social engineering
Evasion
Natural Language Understanding
Content analysis
URL analysis

Description

Detects messages containing credential theft language and links to trycloudflare.com tunnels that include the recipient's email address in the URL path, indicating personalized targeting for credential harvesting.

References

No references.

Sublime Security
Created Jun 10th, 2026 • Last updated Jun 10th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence != 'low'
)
and any(body.current_thread.links,
        .href_url.domain.root_domain == 'trycloudflare.com'
        and strings.icontains(.href_url.path, recipients.to[0].email.email)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started