Inbound rule that flags cloud-service credential-phishing attempts by analyzing message content, sender, and URLs. It triggers when the inbound thread starts with the word 'Cloud' or a cloud emoji, and a high-confidence credential-theft intent is detected (NLU: name 'cred_theft', confidence 'high'), along with a high-confidence topic match for 'File Sharing and Cloud Services'. The rule requires at least one link whose domain is external to the sender's domain (external URLs) and ensures there are no recipient-identification entities in the message. It excludes certain known legitimate cloud domains (e.g., cloud-cme.com, cloudcounting.online) when SPF or DMARC passes, and also avoids flagging highly trusted senders unless DMARC fails. The rule enforces URL-domain matching to detect credential phishing tied to cloud service impersonation and relies on content analysis, NLP intents/topics, and sender/URL domain checks. The overall severity is medium and the detection targets credential theft via social engineering around cloud services.