Fake Notion / Airtable / Monday.com workspace share credential phishing — impersonates Notion, Airtable, Monday.com, or Asana with a fake "someone shared a page/base/board with you" notification requiring Google or Microsoft 365 sign-in on a non-official domain; Cofense 2024: productivity-tool impersonation is a top-5 credential-phishing vector in SaaS-heavy organizations; workspace access gives attackers full company knowledge base, project plans, and connected app tokens

Phishing emails impersonating Notion, Airtable, Monday.com, or Asana with a fake "someone shared a page/base/board with you" or "you have been invited to collaborate" notification that requires Google or Microsoft 365 credential sign-in on a non-official domain — enabling full company knowledge-base and project management account takeover. Key facts: (1) Cofense 2024: productivity-tool impersonation is a top-5 credential-phishing vector in SaaS-heavy organizations; employees at product, engineering, and operations teams receive legitimate Notion page-share and Airtable base-share invitation emails multiple times per day — the conditioning is so strong that verification of the sender domain is rarely performed; (2) The attack chain is identical to Figma phishing: a realistic-looking "teammate shared a Notion page with you" email arrives from a plausible-looking domain, the "View page" button redirects to a Google or Microsoft 365 sign-in page, and after credential submission the page redirects to a real (but irrelevant) Notion page — victims never realize they were phished; (3) Productivity tool account takeover is particularly high-value because Notion workspaces and Airtable bases typically contain the company's internal wiki, product roadmap, customer data, employee directories, API keys and credentials stored in notes, and connected integrations — giving the attacker a comprehensive intelligence picture of the organization for follow-on BEC attacks; (4) Legitimate Notion invitations arrive from mail.notion.so or no-reply@notion.so; Airtable from airtable.com; Monday.com from notifications.monday.com; Asana from asana.com — and they never require the recipient to re-enter Google or Microsoft credentials via an external link. Warning signs: sender domain not notion.so, notion.com, airtable.com, monday.com, or asana.com; workspace access requires Google/Microsoft login on non-official domain; no specific page title, database name, or inviting colleague's name shown.