← Back to Explore
sublimemediumRule
Service abuse: Notion free-tier account impersonating VIP
Detects messages sent from Notion's legitimate notification address (notify@mail.notion.so) that pass SPF and DMARC checks, but where the sender's display name matches an internal VIP, and the embedded links resolve to a Notion workspace associated with a free-tier subscription. This pattern indicates abuse of Notion's free tier to craft convincing internal impersonation lures.
Detection Query
type.inbound
and sender.email.email == 'notify@mail.notion.so'
// from VIP
and any($org_vips, strings.icontains(sender.display_name, .display_name))
and any(body.current_thread.links,
any(ml.link_analysis(.).additional_responses,
.json['statsigUser']['custom']['spaceSubscriptionTier'] == 'free'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Service abuse: Notion free-tier account impersonating VIP"
description: "Detects messages sent from Notion's legitimate notification address (notify@mail.notion.so) that pass SPF and DMARC checks, but where the sender's display name matches an internal VIP, and the embedded links resolve to a Notion workspace associated with a free-tier subscription. This pattern indicates abuse of Notion's free tier to craft convincing internal impersonation lures."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.email == 'notify@mail.notion.so'
// from VIP
and any($org_vips, strings.icontains(sender.display_name, .display_name))
and any(body.current_thread.links,
any(ml.link_analysis(.).additional_responses,
.json['statsigUser']['custom']['spaceSubscriptionTier'] == 'free'
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: VIP"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Header analysis"
- "URL analysis"
- "Content analysis"
id: "966562cb-78b2-5844-a200-d12321df4472"