Fake SaaS license audit lure — "your Microsoft / Oracle / Adobe / Salesforce licenses are over-deployed, respond in 7 days or pay $X" targeting IT admins (2024-2025 real-audit-fear exploitation)

Fake "your Microsoft / Oracle / Adobe / Salesforce / Atlassian / Autodesk / SAP / VMware / IBM / Citrix / Workday / ServiceNow licenses are over-deployed — respond to the audit within 7 days or pay $X" email targeting IT admins and procurement teams. The fear is grounded in real vendor practice: Microsoft, Oracle, SAP, and Adobe conduct license audits that regularly result in six-figure settlements, so the threat reads plausibly even when the sender domain is obviously not the vendor. Attackers harvest credentials through the "respond here with your tenant admin details" flow, then sell access to ransomware affiliates. Abnormal Security and Flexera documented 2024-2025 campaigns targeting IT admin inboxes. Fires when the body references a specific software-license vendor (Microsoft 365/M365, Office 365, Oracle database, Adobe Creative Cloud, Salesforce, Atlassian Cloud, Autodesk, SAP, VMware, IBM, Citrix, Workday, ServiceNow) AND contains license/seat/subscription + audit/compliance/over-deploy language AND response-deadline urgency (respond within N days, compliance settlement, audit penalty, failure to respond). Excludes known vendor domains and legitimate license-management platforms (Flexera, Snow Software, Crayon, Torii, Zylo, Vendr, Tropic). Auto-classified as danger via the `-lure` suffix.