Google AppSheet phishing hits 30,000 Facebook business accounts

Attackers used Google’s AppSheet platform to send phishing emails that stole Facebook login credentials and two‑factor authentication codes, compromising about 30,000 Facebook business and advertiser accounts. The messages were routed through Google infrastructure and passed standard email authentication checks.

Researchers linked the operation to a Vietnam‑connected group that has run the campaign over an extended period and remains active. Most victims were Facebook Pages and business profiles tied to advertising and marketing, accounts that control ad spend, brand pages and customer access.

After gaining access, attackers ran scams, placed fraudulent ads and sold account access to third parties. In some cases the operators offered paid “recovery” services to the same businesses whose accounts they had compromised.

The phishers used AppSheet, a no‑code service for building mobile and web apps that can send automated notifications. AppSheet allows a custom sender name and sends mail from addresses such as [email protected] delivered through domains like appsheet.bounces.google.com. Because the emails were relayed through Google, they passed SPF, DKIM and DMARC checks that many filters use to mark messages as legitimate.

The malicious emails typically warned of policy violations, copyright complaints or verification requests and urged recipients to act quickly. Linked pages collected Facebook login details, one‑time verification codes and account recovery information. Some forms requested the full set of data at once: password, multiple 2FA codes, date of birth, phone number and photos of identity documents.

Behind the phishing sites was an automated back end built on Telegram channels and bots to collect, sort and process stolen data. Stolen credentials were grouped, traded or reused and automated tools scaled the operation across thousands of targets.

Because messages arrived through Google systems, many standard defenses treated them as legitimate, increasing reach. Facebook and Instagram do not send urgent policy or verification notices through third‑party mailing channels such as Google AppSheet; a mismatch between the sender and the platform referenced is an indicator of fraud.

Users and administrators should not click links in unexpected account‑related emails and should go directly to facebook.com or the Facebook app to check account status. Do not provide passwords, repeated 2FA codes or identity photos in response to email requests. Enable two‑factor authentication, turn on login alerts for new devices and locations, audit account access, review recent ad spend and consider changing recovery information and credentials if compromise is suspected. Investigations into the operation are ongoing.