Yeah, assuming Slack does prefetch these links that makes the attack significantly easier and faster to carry out.

I actually meant DNS prefetching, not HTTP prefetching. I don't think browsers will prefetch (make HTTP GET requests before they are clicked) links by default (maybe slack does to get metadata), but they quite often prefetch the DNS host records as soon as an "a href" appears.

In case of DNS prefetching, a wildcard record wouldn't be needed, you just need to control the nameservers of the domain and enable query logging.

But I'm not sure how do browsers decide what links to DNS prefetch, maybe it's not even possible for links generated with JS or something like that ... I'm just guessing.