This rule detects inbound messages that start with Flare-branding (examples include FlareDoc, FlareAudio, FlareBill, FlareReport) and contain links to domains under trycloudflare.com. The pattern indicates a threat actor template leveraging Cloudflare tunnels for credential harvesting via phishing. The detection relies on content analysis of the inbound thread text (prefix match on the message body) and URL analysis to identify trycloudflare.com links. If both conditions are met, the rule triggers as a high-severity credential-phishing indicator. The rule captures a common social-engineering technique that enables attackers to present a legitimate-appearing branded interface while funneling victims through a Cloudflare tunnel for credential harvesting. It complements detections that look for branded phishing campaigns and tunneling-based exfiltration pathways, and it highlights the use of free subdomain hosting as part of the actor’s infrastructure template.