Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 17, 2026 · 8 min read

Hackers Just Hijacked 30,000 Facebook Business Accounts Using a Trick Google Sells as a Feature—The Phishing Emails Came From noreply@appsheet.com

Guardio Labs traced a Vietnamese operation called AccountDumpling that turned Google's AppSheet automation platform into a phishing relay. Every message passed SPF, DKIM, and DMARC because Google's own servers signed it.

A smartphone resting on a wooden desk in soft natural daylight, displaying a blurred email notification preview with a faint envelope icon

The Phishing Email Google Sent for You

On May 1, 2026, Guardio Labs researcher Shaked Chen published findings on a phishing operation Guardio calls AccountDumpling. The campaign compromised roughly 30,000 Facebook Business accounts across ten countries, and it worked because the phishing emails were delivered by Google.

Not "Google" as in spoofing a Google address. Google as in: the emails originated from noreply@appsheet.com and appsheet.bounces.google.com, sent through Google's own AppSheet automation platform, signed by Google's mail servers, and validated by SPF, DKIM, and DMARC. Every spam filter that asked "is this really from Google?" got back a green check mark. And then it delivered the phishing email straight to the inbox.

Why AppSheet Exists, and Why That's the Problem

AppSheet is a no code automation platform Google acquired in 2020. It lets companies build small business apps that send automated notifications. The platform was designed for legitimate use cases: an inventory app emails a manager when stock runs low, a project tracker pings a team when a deadline slips.

The attackers behind AccountDumpling realized that "an app that emails users" plus "Google's mail infrastructure" equals "a phishing relay backed by the most trusted sender reputation on the internet." So they signed up for AppSheet, built apps whose only purpose was to fire phishing emails, and let Google handle delivery. As Guardio's report put it, the operation "turns Google AppSheet into a phishing relay, then sells the stolen accounts back through a storefront run by the same hands."

The emails passed authentication for the same reason any AppSheet automation passes authentication: Google's servers signed them. SPF authorized the sending IP. DKIM signed the body with a Google managed key. DMARC checked the alignment and waved them through. Microsoft 365, Gmail, and ProtonMail all delivered them as legitimate.

The Lure

The phishing emails targeted Facebook Business account owners — the small businesses, agencies, and creators who run paid ads through Meta. The pretext was account deletion. The emails claimed to be from "Meta Support" and warned that the account faced permanent deletion unless the owner submitted an appeal within a short window.

For a business that depends on Meta ads for revenue, "your account is about to be deleted" is exactly the kind of pressure that overrides the usual hover over the link instinct. And the sender domain — noreply@appsheet.com — looks unfamiliar but plausibly legitimate. Most people do not know what AppSheet is. The ones who recognize it know it as a Google product.

Clicking the appeal link sent victims down one of four parallel infrastructure tracks:

  • Netlify hosted pages that copied the Facebook Help Center, using a unique subdomain for each target to avoid URL blocklists
  • Vercel hosted "Security Check" or "Meta | Privacy Center" pages that gated behind a CAPTCHA before showing the credential form
  • Google Drive hosted PDFs that Canva had generated, leading to further phishing pages
  • Fake job offer impersonations of WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca Cola for victims who needed a different lure

Once on the fake appeal page, the victim was asked for the full grab bag: Facebook username and password, two factor authentication codes, date of birth, phone number, photos of government issued ID, and in some cases screenshots of the victim's own browser. Every field flowed in real time into private Telegram channels where the operators validated the data and executed the account takeover before the victim realized anything was wrong.

The Numbers and the Geography

Guardio's mapping of the campaign covered roughly 30,000 confirmed victims, distributed across the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico. The campaign targeted small to mid sized business owners and ad agencies — accounts with active ad budgets, active payment methods, and active reputation with the Meta ad platform. A compromised account with an existing ad credit line can run six figures of fraudulent advertising before Meta's anti abuse team catches up.

The post compromise economics are simple. Some accounts were used directly for ad fraud (running scam ads that monetize the existing ad budget and audience). Others were resold through what Guardio described as "a storefront run by the same hands" — an attacker controlled marketplace where stolen Facebook Business accounts trade between buyers who specialize in different post takeover monetization paths.

Attribution and the Canva Slip

The campaign was meticulous about infrastructure hygiene — fresh subdomains, segmented hosting providers, throwaway AppSheet accounts. It was less meticulous about file metadata. One of the Canva generated PDFs the operators sent through Google Drive still carried metadata pointing back to a Vietnamese name: Phạm Tài Tân. From there, researchers traced the operation to a publicly listed digital marketing and consulting site at phamtaitan[.]vn.

It is an old mistake — exporting a document with the original author field intact — and it ends up being how a 30,000 account criminal operation gets named.

Why This Is Worse Than a Normal Phishing Wave

Most phishing emails fail one of three gates: they get caught by SPF/DKIM/DMARC, they get caught by URL reputation, or they get caught by a user who notices a sketchy sender. AccountDumpling beat all three.

  • Authentication: Cleared because Google's own infrastructure signed the messages.
  • URL reputation: Bypassed because every victim got a unique subdomain on Netlify or Vercel, and reputation engines need volume to build a verdict.
  • User skepticism: Undermined because the sender domain belongs to Google and the destination domain belongs to brand named cloud platforms.

This is the structural problem with letting any third party send mail through your trusted infrastructure. The trust signal collapses the moment a single attacker signs up. We have seen the same pattern with Amazon SES being mined for IAM keys to send mail from victim domains and with attackers abusing Google Cloud's own mail relays for phishing that passes every authentication check over the past year. AppSheet is the same pattern with a different label.

What to Do — As a Recipient

If you run a Facebook Business account, treat any "account deletion appeal" email as hostile, regardless of sender. Meta's actual policy notifications appear inside the Facebook Business Manager itself, not by email from an automation platform you have never heard of.

Practical defenses:

  • Never click the appeal link in an email. Go directly to business.facebook.com and check the notification center.
  • If you must click, hover and confirm the domain is facebook.com or business.facebook.com, not a subdomain on Netlify, Vercel, or Google Drive.
  • If your email client shows the sending domain rather than the friendly name, glance at it. noreply@appsheet.com is not Meta, no matter what the friendly name says.
  • Treat any request for date of birth, phone, government ID, or screenshots inside a Meta "appeal" as a tripwire. Meta's actual appeal flow does not ask for those upfront on a single page.

What to Do — As an IT or Security Team

If you run mail security for an organization with marketing or agency staff, this campaign is probably already in your inbox archive. Specific things to look for and block:

  • Inbound mail from noreply@appsheet.com, *@appsheet.com, and *@appsheet.bounces.google.com. Unless your business uses AppSheet for legitimate workflows, the entire sender domain can go on the block list.
  • URLs leading to subdomains on *.netlify.app, *.vercel.app, or Google Drive that contain Facebook, Meta, or "appeal" keywords in the path.
  • Outbound DNS to recently registered Vietnamese domains and Telegram bot infrastructure.

For environments that legitimately use AppSheet, the harder question is how you allow noreply@appsheet.com for sanctioned automations while blocking it for arbitrary external senders. Google's documentation does not currently expose a per app sender identity, which is the underlying design flaw the attackers are exploiting. Until Google fixes that, the practical answer is a sender allow list keyed to the specific AppSheet app IDs your business runs.

The Pattern Will Repeat

AccountDumpling is not the first time Google's mail infrastructure has been turned into a phishing relay, and it will not be the last. The economics are too good: free, trusted, authenticated delivery, with the sending reputation backed by one of the most reputable mail networks on the internet. As long as Google offers a no code automation product that sends mail through Google's own SPF and DKIM, attackers will keep signing up.

The 30,000 Facebook businesses that lost their accounts to AccountDumpling will eventually get most of them back. The structural problem — that "authenticated by Google" no longer means "trustworthy" — does not have an easy fix. Until it does, the only safe assumption is that the sender header is decorative, and the real verification has to happen at the URL.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.