Technical summary: This inbound detection rule flags messages sent to a single valid recipient that contain links pointing to Cloudflare Workers domains ending in -account.workers.dev. The left-hand domain segment must match a predefined impersonation pattern intended to mimic trusted services (Adobe, DocuSign, OneDrive, SharePoint, voicemail, etc.). Specifically, the domain portion before the dot must be one of: page-adobe, adobe, page-docusign, docusign, calendar_invite, fax, quarantine, onedrive, page-password, sharepoint, voicemail, or index, optionally prefixed with page-, followed by -[a-z0-9]{3}, then a dot and a TLD consisting of [a-z0-9-] with length at least 3. The full domain must end with -account.workers.dev. This EvilTokens Cloudflare Workers domain structure is used to deceive recipients into believing they are interacting with legitimate services. When a match occurs, the rule classifies the incident as Credential Phishing and relies on URL analysis of the message body as the primary detection method. The tactic emphasis includes impersonation of brands, evasion, and social engineering, targeting credential theft via deceptive links. Prerequisites include inbound type, exactly one recipient, and a valid recipient domain. Overall, this rule aims to detect phishing attempts that leverage legitimate-service brand impersonation through worker.dev subdomains to harvest credentials or deliver malicious content.