Fake Zoom / Microsoft Teams / Google Meet cloud-recording-ready phishing — "your cloud recording is ready to view / meeting transcript available / recording expires in 24h" + credential-harvesting link to a non-vendor host (typosquat SSO sign-in page or malicious "video player" download). High WFH-era volume, sustained through 2026. Distinct from fake-zoom-pro-subscription-billing-phish (billing), zoom-calendar-phishing-url (calendar), meeting-transcript-attachment-phishing-lure (attachment-gated). Evidence: Abnormal Security 2024 Top Phishing Brands (Zoom #3); KnowBe4 2024-2025 threat reports; Microsoft MSRC 2024 Teams impersonation advisory; Bleeping Computer 2023-2025 SSO-harvest campaign coverage

Zoom / Microsoft Teams / Google Meet cloud-recording-ready impersonation phishing. Attackers send a fake notification from Zoom / Teams / Meet with "your cloud recording is ready to view," "meeting transcript available," "recording from yesterday's call is ready to download," or "recording expires in 24 hours — view now." The link points to a typosquat host (zoom-recording-view.example, teams-transcript-portal.example, meet-record-google.example) that serves either (a) a pixel-perfect fake Zoom / Microsoft / Google SSO sign-in page harvesting enterprise credentials, or (b) a malicious "video player plugin" binary that installs malware on open. Attack volume exploded during the WFH era and has not declined in 2026 — remote-meeting recording emails are a normalized, expected, barely-scrutinized part of every knowledge worker's inbox flow, which is exactly why this impersonation works. Blast radius depends on the payload: if credential-harvest, the attacker typically lands on the victim's M365 / Google Workspace SSO token and gets access to email, SharePoint / Drive files, Teams chats, and any federated service; if malware, the attacker installs infostealers that exfil saved browser credentials, session cookies (which bypass 2FA), and any crypto-wallet browser-extension state. Distinct from `fake-zoom-pro-subscription-billing-phish` (Round 249 — billing / subscription cancellation shape, disjoint vocabulary), `zoom-calendar-phishing-url` (body-signals.ts — calendar-invite spoofing with meeting-link hijack), and `meeting-transcript-attachment-phishing-lure` (body-bec.ts — requires an actual attachment; THIS signal targets the more common attachment-free link-only variant). Real precedents: Abnormal Security's 2024 "Top Phishing Brands" report placed Zoom at #3 with recording-ready lures the dominant subtype; KnowBe4's 2024 + 2025 threat reports consistently ranked Zoom #4-#6 brand worldwide; Microsoft MSRC published a 2024 advisory specifically on Teams impersonation phish after a spike in recording-ready campaigns targeting M365-federated enterprises; Bleeping Computer and The Hacker News tracked multiple 2023-2025 SSO-harvest waves that arrived styled as Zoom recordings. Legitimate meeting-recording emails come exclusively from the vendor's domain: `zoom.us`, `zoomgov.com`, `teams.microsoft.com`, `email.teams.microsoft.com`, `sharepoint.com`, `meet.google.com`, `drive.google.com`, `webex.com`. Warning signs: any "your recording is ready" email whose sign-in / download link is hosted elsewhere. Defense: always open Zoom / Teams / Meet directly from the native desktop app or from your bookmarked URL — recordings live inside the vendor's own recording-library UI and never require you to sign in via an email link to view them. If you're an IT admin, enforce conditional-access policies that reject sign-ins from non-corporate IPs for these SSO domains, which limits the blast-radius even if a user does submit credentials.