Fake Cloudflare Zero Trust / WARP+ admin re-authentication or policy suspension phishing — fraudulent email impersonating Cloudflare claiming the recipient's Zero Trust admin account requires re-authentication, their WARP+ team plan has expired, or their Zero Trust access policies are suspended — targeting IT administrators and DevOps engineers who use Cloudflare One to gate corporate application access; Zero Trust admin credentials give attackers full control over which users can access which apps behind the gateway

Phishing emails impersonating Cloudflare claiming the recipient's Cloudflare Zero Trust admin account requires re-authentication, their WARP+ team plan has expired or been suspended, or their Zero Trust access policies are pending review and will be disabled — directing the IT administrator to sign in to the team dashboard or approve pending policy changes. Key facts: (1) Cloudflare Zero Trust (formerly Cloudflare for Teams / Cloudflare One) gates employee access to corporate applications via SSO and device posture checks — admin credentials compromise gives attackers control over which users can access which internal apps behind the Zero Trust gateway, effectively bypassing all application-level authentication; (2) WARP+ is Cloudflare's enterprise VPN-replacement product; "WARP+ team plan expired" is a credible lure because WARP+ is a paid subscription where real payment failures do genuinely suspend the service; (3) Zero Trust admins are high-value targets: compromising the admin tenant gives attackers the ability to create backdoor access policies, whitelist attacker-controlled devices for posture checks, and silently add persistent access to every application behind the gateway without triggering alerts; (4) This is distinct from registrar-admin-dns-control phishing (iter 1093) where Cloudflare is targeted as a domain registrar — this signal targets Cloudflare One / Zero Trust admin roles specifically. Warning signs: sender domain not cloudflare.com or teams.cloudflare.com; no reference to specific team name, policy names, or tenant ID; link to non-cloudflare.com portal; urgency about policies expiring within hours or user access being revoked immediately.