Massive Phishing Campaign Exploits Google AppSheet to Hack 30,000 Facebook Accounts
Executive Summary
In May 2026, a Vietnamese-linked cyber operation, dubbed 'AccountDumpling' by Guardio, exploited Google's AppSheet platform to distribute phishing emails impersonating Meta Support. These emails targeted Facebook Business account owners, urging them to submit appeals to avoid account deletion. The phishing campaign successfully compromised approximately 30,000 Facebook accounts, which were subsequently sold through illicit channels. The attackers utilized AppSheet's legitimate 'noreply@appsheet.com' email address to bypass spam filters, enhancing the credibility of their fraudulent messages.
This incident underscores a growing trend where cybercriminals leverage trusted platforms to execute sophisticated phishing attacks. The exploitation of legitimate services like Google AppSheet highlights the need for enhanced vigilance and adaptive security measures to counteract evolving threat vectors.
Why This Matters Now
The 'AccountDumpling' campaign exemplifies the increasing sophistication of phishing attacks that exploit legitimate platforms to bypass security measures. Organizations must remain vigilant and adapt their security protocols to address these evolving threats.
Attack Path Analysis
Attackers initiated the campaign by sending phishing emails from a legitimate Google AppSheet address, leading victims to fake Facebook login pages to harvest credentials. Using these credentials, they accessed victims' Facebook accounts, potentially escalating privileges within the accounts. The attackers then moved laterally by exploiting the compromised accounts to send further phishing messages. They established command and control by maintaining access to these accounts and exfiltrated sensitive information, including personal data and authentication tokens. Finally, they monetized the stolen accounts by selling them through illicit storefronts.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails from a legitimate Google AppSheet address, leading victims to fake Facebook login pages to harvest credentials.
MITRE ATT&CK® Techniques
Spearphishing via Service
Impersonation
Web Service
Phishing for Information
Masquerading
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for detecting and responding to failures are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Marketing/Advertising/Sales
Facebook phishing campaigns directly threaten social media marketing operations, compromising brand accounts and advertising access critical for customer engagement and revenue generation.
Computer Software/Engineering
Google AppSheet phishing relay exploits cloud application vulnerabilities, requiring enhanced egress security and zero trust segmentation to prevent account compromise attacks.
Financial Services
Account compromise operations targeting social platforms pose compliance risks under NIST frameworks, necessitating threat detection and encrypted traffic capabilities for protection.
Health Care / Life Sciences
Vietnamese-linked phishing affecting 30,000 accounts creates HIPAA compliance exposure through potential patient data access via compromised healthcare organization social media accounts.
Sources
- 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaignhttps://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.htmlVerified
- This dangerous new phishing scam spoofs a top Google program to try and hack Facebook accountshttps://www.techradar.com/pro/security/this-dangerous-new-phishing-scam-spoofs-a-top-google-program-to-try-and-hack-facebook-accountsVerified
- Cybercriminals Use Google AppSheet in Sophisticated Facebook Phishing Scamhttps://www.cttsonline.com/2025/07/01/cybercriminals-imitate-google-to-hijack-facebook-accounts-in-latest-phishing-scam/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily focuses on network-level controls, its comprehensive visibility and monitoring capabilities could likely aid in detecting and alerting on anomalous outbound connections initiated by compromised workloads.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict identity-based access controls, reducing unauthorized access to sensitive resources.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit lateral movement by enforcing strict segmentation policies, reducing the attacker's ability to propagate within the network.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely enhance the detection of unauthorized control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by enforcing strict outbound traffic policies, reducing unauthorized data transfers.
While Aviatrix CNSF primarily focuses on network-level controls, its comprehensive monitoring capabilities could likely aid in detecting and mitigating unauthorized access, thereby reducing the potential impact of account monetization.
Impact at a Glance
Affected Business Functions
- Social Media Account Management
- Digital Marketing
- Customer Engagement
Estimated downtime: 7 days
Estimated loss: $50,000
Compromised Facebook accounts leading to unauthorized access to personal information, potential misuse of business pages, and exposure of sensitive communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced email filtering solutions to detect and block phishing attempts, even those originating from legitimate services.
- • Enforce multi-factor authentication (MFA) on all user accounts to prevent unauthorized access using stolen credentials.
- • Educate users on recognizing phishing attempts and the importance of not sharing credentials or authentication codes.
- • Monitor for unusual account activities, such as unexpected login locations or changes in account behavior, to detect potential compromises.
- • Regularly review and update security policies and controls to address evolving phishing tactics and techniques.
