### AppSheet Abuse for Phishing Distribution Researchers at **Guardio** have identified a new scheme where attackers are leveraging the **Google AppSheet** platform to distribute phishing emails, effectively bypassing traditional spam filters. The emails impersonate **Meta Support**, urging **Facebook** Business account owners to submit an appeal under the threat of permanent account deletion. Shaked Chen, a security researcher at **Guardio**, stated, "What we found wasn't a single phishing kit... It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back." ### Tactics and Techniques The phishing emails originate from a legitimate **Google AppSheet** address (`[email protected]`), lending them an air of authenticity. Victims are directed to fake web pages designed to harvest their credentials. This campaign shares similarities with a previous attack reported by **KnowBe4** in May 2025.  Over recent weeks, the attackers have diversified their lures to induce a "Meta-related panic," including: * Account disablement threats * Copyright complaints * Verification review requests * Executive recruitment scams * **Facebook** login alerts **Guardio** identified four main clusters of attack vectors: * **Netlify**-hosted **Facebook** help center pages used for account takeover, collecting personal data (DOB, phone numbers, government IDs) and forwarding it to a **Telegram** channel controlled by the attackers. * Blue badge evaluation lures redirecting victims to **Vercel**-hosted "Security Check" or "Meta | Privacy Center" pages, gated by CAPTCHAs, ultimately leading to phishing pages that steal contact details, business information, credentials, and 2FA codes, exfiltrating them to a **Telegram** channel. * **Google Drive**-hosted PDFs, disguised as account verification instructions, designed to harvest passwords, 2FA codes, government ID photos, and browser screenshots using html2canvas. These PDFs are generated using free **Canva** accounts. * Fake job offers impersonating legitimate companies like **WhatsApp**, **Meta**, **Adobe**, **Pinterest**, **Apple**, and **Coca-Cola** to establish trust and solicit further communication on attacker-controlled platforms. ### Scale and Impact The **Telegram** channels associated with these attacks contain approximately 30,000 victim records, primarily from the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico. Many of these victims have been locked out of their **Facebook** accounts. ### Attribution Open-source intelligence (OSINT) points to a Vietnamese individual, "PHẠM TÀI TÂN," as the author of the PDFs used in the third cluster of attacks, leveraging a free **Canva** account. Further investigation revealed a website (`phamtaitan[.]vn`) offering digital marketing services.  ### Implications "Taken together, they form a consistent picture of a large, Vietnamese-based, mega operation," Chen concluded. "This campaign is bigger than a single **AppSheet** abuse. It's a window into the dark market around stolen **Facebook** assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers."