Meeting transcript attachment phishing lure — fake Zoom / Teams / Meet transcript PDF/DOCX with embedded phishing URLs framed as "action items" (Proofpoint / KnowBe4 / Abnormal 2025 campaigns)

Email delivers a fake meeting-transcript document (.pdf, .docx, .doc, .txt, .rtf) claiming to be the transcript, recording, summary, or call-log from a recent Zoom / Microsoft Teams / Google Meet / Webex / GoToMeeting / BlueJeans / Jitsi / Riverside / Loom / Fathom / Otter.ai / Grain session. Proofpoint, KnowBe4, and Abnormal Security documented multiple 2025 campaigns where attackers used AI-generated transcripts from ChatGPT or Claude to give phishing emails contextual legitimacy — recipients trust "meeting notes" and "action items" documents far more than cold invoices or unsolicited package notifications. The transcript body contains embedded phishing URLs framed as "the shared link from the meeting" or "the action item I mentioned." Fires when the email has a transcript-shaped attachment filename (containing transcript/recording/minutes/notes/summary/call-log keywords) with a document extension (.pdf / .doc(x) / .txt / .rtf) AND the subject or body references a meeting context. Excludes known videoconferencing vendors (Zoom, Microsoft, Google Meet, Webex, GoToMeeting, BlueJeans, Jitsi, Riverside, Loom, Fathom, Otter.ai, Grain) who send real transcripts through their own infrastructure, reply threads, and newsletters discussing transcript tools. Auto-classified as danger via the `-lure` suffix.