You need to know the Slack workspace URL, looks like the previous method I used to find this for arbitrary domains has been fixed. Workspace URLs aren't secret, though, and can often be guessed. Let's assume finding this for your target isn't an issue.
The most common reflection attack is through support systems, specifics will vary depending on the product used. Not all are vulnerable to this.
Open a support ticket with support@company.com pretending to have a valid complaint. Obtain the unique e-mail address for your ticket such as support+2392@company.com, and use "Sign up" at https://company.slack.com/signup#/domain-signup with the support ticket e-mail address.
The support ticket system can leak the contents of the Slack invitation as a ticket update. Once you know the validation URL Slack allows you to sign up.
The most common reflection attack is through support systems, specifics will vary depending on the product used. Not all are vulnerable to this.
Open a support ticket with support@company.com pretending to have a valid complaint. Obtain the unique e-mail address for your ticket such as support+2392@company.com, and use "Sign up" at https://company.slack.com/signup#/domain-signup with the support ticket e-mail address.
The support ticket system can leak the contents of the Slack invitation as a ticket update. Once you know the validation URL Slack allows you to sign up.