This week, we uncovered an attack that uses a Zoom notification. We saw this across multiple organizations and in multiple weeks.
It works like this:
The subject of the email reads: You have a VM-Alert
The body links to a page that says it will allow you to respond to a Zoom request, but is actually a malicious link. Some emails even had a Zoom logo. The Zoom meeting ID is static and doesn't go anywhere.
Here's what it looks like: