diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml
index 2c4f268f509..5d5a2fae579 100644
--- a/detection-rules/link_credential_phishing_cloud_service.yml
+++ b/detection-rules/link_credential_phishing_cloud_service.yml
@@ -10,6 +10,7 @@ source: |
     )
     // cloud emoji
     or regex.contains(body.current_thread.text, '^\x{2601}')
+    or regex.icontains(body.html.raw, '<title> ?cloud')
   )
   and any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == 'cred_theft' and .confidence == 'high'