Phishing Campaign Abuses Google AppSheet to Hijack Thousands of Facebook Accounts
A Vietnamese-linked threat actor has compromised 30,000 Facebook accounts by abusing Google's AppSheet platform to deliver highly convincing phishing emails that bypass standard security filters.

A sophisticated, long-running phishing campaign has successfully hijacked approximately 30,000 Facebook accounts by weaponizing Google’s AppSheet platform to bypass standard email security filters Malwarebytes Labs. The operation, which is currently active, specifically targets business and advertiser profiles to monetize access through fraudulent advertising, scams, and the sale of compromised credentials Malwarebytes Labs.
The technical mechanism relies on the abuse of Google AppSheet, a no-code development platform designed for internal workflows and automated notifications. By leveraging AppSheet’s infrastructure, attackers send phishing emails that originate from legitimate Google domains, such as noreply@appsheet.com and appsheet.bounces.google.com Malwarebytes Labs. Because these emails are routed through Google’s own servers, they successfully pass standard authentication protocols like SPF, DKIM, and DMARC, causing most email security filters to classify them as trusted, legitimate correspondence Malwarebytes Labs.
Once the email reaches the victim, it typically impersonates Facebook, using urgent lures such as alleged policy violations, copyright complaints, or account verification issues Malwarebytes Labs. The phishing sites linked within these messages are designed to harvest a "full recovery pack," which includes passwords, two-factor authentication (2FA) codes, dates of birth, phone numbers, and even identification photos Malwarebytes Labs. Behind the scenes, the operation utilizes an industrial-scale infrastructure powered by Telegram bots and channels to process the stolen data in real-time Malwarebytes Labs.
Researchers have attributed this campaign to a Vietnamese-linked threat actor Malwarebytes Labs. The impact is significant, as the attackers prioritize high-value business accounts that rely on Facebook for marketing and revenue generation Malwarebytes Labs. In some instances, the threat actors have been observed offering "account recovery" services to victims, effectively extorting them to regain access to the very accounts the group previously compromised Malwarebytes Labs.
There is no automated patch for this abuse, as it exploits the intended functionality of a legitimate service. Users are advised to exercise extreme caution regarding any email claiming to be from Facebook that demands urgent action, particularly those threatening account disablement within 24 hours Malwarebytes Labs. Security experts emphasize that Facebook does not utilize Google infrastructure to send official security or policy notifications Malwarebytes Labs.
To mitigate the risk, users should avoid clicking links in suspicious emails and instead navigate directly to facebook.com or the official mobile application to verify account status Malwarebytes Labs. Enabling robust 2FA and configuring login alerts for new devices are critical defensive measures. This campaign highlights a growing trend of attackers exploiting the inherent trust placed in major cloud platforms to bypass traditional security perimeters, a tactic that continues to challenge both enterprise and consumer email defenses Malwarebytes Labs.