diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml
index 2c4f268f509..525ea90f1f8 100644
--- a/detection-rules/link_credential_phishing_cloud_service.yml
+++ b/detection-rules/link_credential_phishing_cloud_service.yml
@@ -1,12 +1,12 @@
-name: "Link: Cloud service with credential theft language"
-description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
+name: "Impersonation Link: Cloud branding service with credential theft language"
+description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
   and (
     any([body.current_thread.text, body.html.inner_text],
-        strings.starts_with(., 'Cloud')
+        strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+")
     )
     // cloud emoji
     or regex.contains(body.current_thread.text, '^\x{2601}')