Fake SaaS workspace renewal panic + installer lure — email impersonates Slack/Zoom/Jira/Linear/Figma/Notion/Asana/Monday workspace billing, claims the workspace will be deactivated/locked/suspended without immediate renewal, and directs the user to "download the latest installer" from a typosquat host (e.g., slacks[.]pro, zoom-workspace[.]update). The installer is the drop: Malwarebytes Feb 2026 tracked Teramind backdoor via fake Zoom update; Security Boulevard Apr 2026 tracked fake Slack download delivering a hidden desktop

Email impersonates the billing/admin team of a productivity SaaS — Slack, Zoom, Jira, Linear, Figma, Notion, Asana, Monday.com, ClickUp, Miro, Airtable, or Loom — and claims the user's workspace will be deactivated, downgraded, locked, or suspended within hours unless they "download the latest installer" or "re-authenticate the workspace admin." The installer is the drop: Malwarebytes February 2026 disclosed a Teramind backdoor campaign hidden inside a fake Zoom client update; Security Boulevard April 2026 disclosed the `slacks[.]pro` campaign delivering a Remote Access Trojan as a "Slack desktop update." Cyberpress, Sublime, Okta, and Push Security have all tracked variants targeting Slack/Zoom/Teams initial access through 2025-2026. The pattern is distinguishable from legitimate billing notifications because real SaaS billing emails do not ask the user to download an installer — they link to the vendor's own account portal over HTTPS with a DKIM-verified sender. This signal fires on the triple of brand + deactivation/downgrade panic framing + "download the latest version / install the update" CTA. Distinct from the callback-phishing-subscription-lure TOAD pattern (phone-callback, no installer), the Atlassian billing-impersonation phish (subscription billing without the installer drop), and the MS365 basic-auth panic signal (tenant-authentication only). Warning signs: any Slack/Zoom/Linear/Figma/Notion "billing" email that instructs you to run an installer from a non-official domain.