Fake meeting-recording-ready non-canonical-host lure — "Your Google Meet / Microsoft Teams / Webex / GoToMeeting recording is ready, click here to view" via link host NOT on the meet-canonical-host allowlist (meet.google.com, teams.microsoft.com, webex.com, gotomeeting.com, zoom.us). Generalises the pre-existing iter-1119 `fake-zoom-cloud-recording-ready-phish` (Zoom-only) to the rest of the synchronous-meet ecosystem. Synthetic-media provenance family — recording-ready notification often carries a deepfake-video payload. Hong Kong $25M Arup deepfake (Feb 2024) + 2025 LastPass / Ferrari attempts proved synthetic video at scale, lending the recording-ready brand-spoof immediate credibility. Source: Red-Team R9 multi-agent council S3 (deepfake-video specialist), Lead consensus C4.

Fake meeting-recording-ready non-canonical-host lure targeting users of Google Meet, Microsoft Teams, Cisco Webex, and GoToMeeting. The phish narrative arrives as: "Your Google Meet meeting recording is ready. Click below to download," or "Your Teams meeting recording is now available. Sign in to view," or "Your Webex meeting recording has been processed. Download from the link below." Generalises the pre-existing iter-1119 `fake-zoom-cloud-recording-ready-phish` (Zoom-only) to the rest of the synchronous-meet ecosystem (Google Meet, Microsoft Teams, Cisco Webex, GoToMeeting / GoTo / LogMeIn). Synthetic-media provenance family — the recording-ready notification often carries a deepfake-video payload (Hong Kong $25M Arup deepfake Feb 2024 + 2025 LastPass / Ferrari attempts proved synthetic video at scale). Real meeting-recording-ready notifications come from the canonical platform domain with In-Reply-To threading from the meeting invite, never via inbound email link to an unfamiliar domain. Sender / link host NOT on the meet-canonical-host allowlist (meet.google.com, google.com, teams.microsoft.com, microsoft.com, webex.com, cisco.com, gotomeeting.com, goto.com, logmein.com, zoom.us, zoom.com). Zoom is intentionally included in the allowlist so the signal does NOT double-fire with the pre-existing iter-1119 zoom-only signal. Fires when body references Google Meet / Meet recording / Microsoft Teams (meeting) recording / Teams meeting recording / Webex (meeting) recording / GoToMeeting recording / Cisco Webex AND contains recording (is) ready / meeting recording / recording (has been) processed-available-now-available / view (the) recording / download (the) recording vocabulary AND contains an http(s):// link. Excludes the canonical meet-platform domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R9 multi-agent council S3 (deepfake-video specialist), Lead consensus C4.