
Summary
Detects inbound emails from Notion's legitimate notification address (notify@mail.notion.so) that pass SPF/DMARC checks but impersonate internal VIPs by matching the sender's display name to an internal VIP list. It further analyzes embedded links in the message and uses link-analysis results to identify if any linked Notion workspace operates at a free-tier subscription. This combination indicates abuse of Notion's free tier to craft convincing internal impersonation phishing lures targeted at VIPs. The rule relies on VIP name matching, header/sender checks, and link-content analysis (including a Notion space’s subscription tier) to trigger a detection.
Categories
- Identity Management
- Web
Data Sources
- Web Credential
- Domain Name
- Network Traffic
Created: 2026-07-15