AppSheet Abused as Phishing Relay in 30,000-Account Facebook Heist

Guardio researchers have mapped a Vietnamese-run operation, dubbed AccountDumpling, that weaponizes Google AppSheet’s [email protected] sender to slip past spam filters and land Meta Support impersonation emails in Facebook Business inboxes. Targets are pushed toward fake appeal flows hosted on Netlify, Vercel, and Google Drive, where credentials, 2FA codes, government IDs, and browser screenshots captured via html2canvas are siphoned off to attacker-controlled Telegram channels. Lures rotate through account-disablement panics, blue-badge reviews, copyright complaints, and bogus job offers from brands like WhatsApp, Adobe, and Apple.

The Telegram drops aggregate roughly 30,000 victim records, concentrated in the US, Italy, Canada, the Philippines, and India, with hijacked accounts then resold through the operators’ own storefront — including a recovery racket that monetizes the same victims twice. Metadata on Canva-generated lure PDFs surfaced the operator handle PHẠM TÀI TÂN and a linked Vietnamese digital-marketing site, tying the infrastructure to a single commercial actor.

The campaign is another instance of trusted SaaS platforms — AppSheet, Vercel, Netlify, Drive, Canva — being conscripted as the delivery, hosting, and exfiltration substrate for credential theft. Reputation-based email filtering and platform allowlists are the load-bearing assumption being exploited, and they keep failing the same way.