Credential phishing page hosted on Cloudflare Pages (*.pages.dev) with credential-harvest narrative
cf-pages-telegram-exfil
What this tier means
Warning signal — bulk / marketing / mild spam. Contributes to the trash score but is not by itself sufficient.
How Gorganizer detects this
Credential phishing hosted on Cloudflare Pages free tier (*.pages.dev) with account-compromise or suspension narrative, typically exfiltrating credentials to a Telegram bot backend. Cloudflare Pages inherits Cloudflare CDN reputation, causing many URL reputation filters to score *.pages.dev links as benign. The signal fires when: (1) a link to *.pages.dev appears AND (2) a credential/account-action narrative is present (sign in, verify, suspended, restore access) AND (3) sender is NOT from cloudflare.com AND (4) no List-Unsubscribe or In-Reply-To header. Source: GC1 R13 council #4; Group-IB Cloudflare Pages phishing 2025; APWG eCrime platform-abuse track 2025.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a warning-tier signal — bulk / marketing / mild spam. It contributes to the trash score but never triggers deletion on its own. Gorganizer requires multiple signals + a margin over the safety floor before any email is moved to trash.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started