This rule detects inbound messages that combine credential-theft language with personalized links hosted via trycloudflare.com, indicating a credential harvesting attempt tailored to the recipient. It works in two stages: (1) NLU-based intent detection on the message body (body.current_thread.text) using an ml.nlu_classifier to identify the cred_theft intent with a confidence not equal to 'low'; and (2) URL/link validation on the message (body.current_thread.links) to ensure at least one href_url has a root_domain of 'trycloudflare.com' and a path that contains the recipient’s email address (recipients.to[0].email.email). When both conditions are met, the rule flags the activity as Credential Phishing. This pattern suggests attackers are not only leveraging credential-themed rhetoric but also using a Cloudflare tunnel to obscure the destination URL and personalize the lure, increasing the likelihood of credential submission. The rule is categorized as high severity and aligns with attack types involving Credential Phishing, utilizing social engineering and evasion techniques. Detection methods include Natural Language Understanding (NLU), Content Analysis, and URL Analysis, reflecting a multi-modal approach to identify intent and malicious redirection. Potential deployment considerations include evaluating legitimate uses of Cloudflare tunnels or personalized links to avoid false positives, and monitoring for similar targeting across other recipients. Overall, the rule serves as a targeted defense against highly personalized phishing campaigns that attempt to blend narrative cues with URL-based evasion techniques.