Guardio Security has disclosed AccountDumpling, a Vietnamese-linked phishing campaign that has compromised approximately 30,000 Facebook accounts by routing phishing delivery through Google AppSheet — Google’s legitimate no-code application building platform. The campaign exploits the trusted sender reputation of Google’s email infrastructure and the business-legitimate appearance of AppSheet-generated notification emails to defeat spam filters, email security gateways, and user training that focuses on identifying suspicious sender domains.
How the Attack Works
Google AppSheet allows users to build no-code applications that can send automated emails — notification alerts, form submissions, data updates — using Google’s email sending infrastructure. The AccountDumpling operators configured AppSheet applications to generate and send phishing emails that appear to originate from [email protected] or similar legitimate AppSheet notification addresses.
The phishing email payload follows a Facebook security alert template: warning the recipient of a suspicious login, an account violation, or an imminent account restriction, and directing them to click a link to verify their account or appeal a decision. The linked page is a Facebook login credential phishing site.
From an email security perspective, the messages pass SPF, DKIM, and DMARC authentication checks — they genuinely originate from Google’s email infrastructure. IP reputation scores are clean. The sender domain is a legitimate Google subdomain. Spam filter heuristics trained to identify phishing based on sender reputation anomalies do not trigger.
Operational Scale and Infrastructure
Guardio’s analysis identified the AccountDumpling infrastructure includes:
- Real-time operator dashboards tracking which accounts have been successfully compromised, displaying victim email addresses, account status, and geographic distribution
- An illicit storefront reselling compromised Facebook accounts sorted by quality tier (age of account, follower count, whether the account has a payment method attached)
- Credential validation automation that tests captured credentials against Facebook’s API before listing the accounts for sale
- Campaign management tooling that rotates AppSheet application configurations to avoid single-application takedowns
The campaign targets consumer Facebook accounts rather than enterprise environments, but the underlying technique — leveraging legitimate SaaS platform email sending infrastructure — applies equally to corporate phishing campaigns. The operators rotate the specific AppSheet applications used for sending, meaning that blocking a specific application does not stop the campaign.
The Trusted Infrastructure Problem
AccountDumpling is the latest in a growing series of campaigns that exploit the trusted infrastructure reputation of major cloud providers:
- DEEP#DOOR: Python backdoor C2 over Cloudflare Tunnel
- EtherRAT: C2 encoded in Ethereum blockchain transactions
- TeamPCP CanisterSprawl: Data exfiltration via ICP blockchain canisters
- AccountDumpling: Phishing delivery via Google AppSheet email infrastructure
The common thread is that all of these techniques exploit the fact that enterprise security infrastructure cannot simply block Google, Cloudflare, or Ethereum node providers — these services are legitimate and business-critical. Traditional perimeter security models that rely on domain and IP reputation as a primary filter are progressively rendered ineffective when attackers route through infrastructure that reputation systems actively whitelist.
Detection Guidance
Email gateway configuration: Most enterprise email security products (Proofpoint, Mimecast, Microsoft Defender for Office 365) allow rule configuration that goes beyond sender reputation — look for AppSheet notification templates containing external links outside Google domains, or unusual combinations of AppSheet sender addresses with urgent account security language. Training the email gateway on AppSheet notification patterns that include non-AppSheet destination URLs is feasible without blocking all AppSheet traffic.
User awareness training update: Staff awareness training should now explicitly cover that legitimate-looking emails from Google infrastructure (AppSheet, Workspace notifications, Google Forms) can be phishing vectors. The presence of a Google sender domain is not a trust signal for the links contained in the email.
Facebook account protection for business accounts: Organisations that use Facebook for marketing, advertising, or customer communication should ensure all Facebook Business Manager accounts use phishing-resistant MFA (hardware keys or passkeys). Individual user compromises can pivot to business account takeover if the compromised personal account has Business Manager access.
Share this article