Fake Slack / Teams / Discord workspace credential phishing — impersonates Slack, Microsoft Teams, or Discord with a fake workspace invitation or account deactivation warning requiring sign-in from a non-official domain; Cofense 2024: Slack phishing is the #1 workplace collaboration tool phishing vector; workspace access gives attackers full team communications, file history, and connected app tokens for deep BEC attacks

Phishing emails impersonating Slack, Microsoft Teams, or Discord with fake workspace invitations or account deactivation warnings that direct victims to enter credentials on non-official domains — enabling full team communication account takeover. Key facts: (1) Cofense 2024: Slack phishing is the #1 workplace collaboration tool phishing vector; attackers exploit the high-frequency legitimate flow of Slack workspace invitation emails — employees receive genuine Slack invitations regularly and have been conditioned to click them without verification; (2) Slack and Teams account takeover is distinctly high-value because workspace access gives the attacker access to the full message history and file archive of the team, all integrated apps and webhook tokens, direct message threads containing credentials and sensitive links, and the ability to send trusted messages from the victim's account to all teammates and channels — turning a single phished credential into a deep social engineering platform; (3) The account deactivation variant exploits another effective hook: employees who rely on Slack for daily work coordination feel immediate urgency when told their account will be deactivated — the fear of losing message history and workspace access overrides rational sender verification; (4) Legitimate Slack workspace invitations and notifications come only from slack.com (feedback@slack.com, no-reply@slack.com, slackhq.com); Microsoft Teams notifications come from microsoft.com or teams.microsoft.com; Discord emails come from discord.com — any workspace communication from a different domain is definitively fraudulent and no legitimate platform requires credential re-entry via email link to accept an invitation. Warning signs: sender domain is not slack.com, microsoft.com, or discord.com; workspace invitation requires email/password sign-in via a non-official domain; deactivation threat with tight deadline; no specific workspace name or inviting colleague's name visible before clicking.