Medium Severity

Service abuse: Notion free-tier account impersonating VIP

Description

Detects messages sent from Notion's legitimate notification address (notify@mail.notion.so) that pass SPF and DMARC checks, but where the sender's display name matches an internal VIP, and the embedded links resolve to a Notion workspace associated with a free-tier subscription. This pattern indicates abuse of Notion's free tier to craft convincing internal impersonation lures.

References

No references.

Sublime Security
Created Jul 14th, 2026 • Last updated Jul 14th, 2026
Source
type.inbound
and sender.email.email == 'notify@mail.notion.so'
// from VIP
and any($org_vips, strings.icontains(sender.display_name, .display_name))
and any(body.current_thread.links,
        any(ml.link_analysis(.).additional_responses,
            .json['statsigUser']['custom']['spaceSubscriptionTier'] == 'free'
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started