Google AppSheet Used in⁤ Facebook Credential Phishing Attack

Updated may ⁤27,2025
‌

A new phishing campaign is leveraging Google AppSheet ⁢to infiltrate inboxes and steal Facebook⁢ login information,cybersecurity firm KnowBe4 reports. The⁢ attackers are exploiting AppSheet’s workflow automation to send​ emails from a legitimate​ “noreply@appsheet.com” address, bypassing traditional email security measures.

Thes ⁣phishing emails mimic Facebook notifications, attempting ⁣to ‍trick⁤ users into divulging ‌their login ‌credentials and two-factor authentication⁢ (2FA) codes. The goal is to compromise accounts and maintain persistent access.

The large-scale ⁣campaign successfully circumvents Microsoft and Secure ‌Email Gateways (SEGs) due to the‌ trusted source domain ⁢and unique IDs generated by AppSheet.​ This makes each email slightly different, ‌evading standard detection systems.

The emails falsely claim⁣ intellectual property violations and threaten account ⁢deletion within 24 hours unless an appeal is submitted via a provided button.​ Clicking this button‍ redirects victims to a fake Facebook login page hosted on Vercel,a legitimate web application platform,further enhancing the campaign’s credibility.

Victims ⁤who enter their ‌credentials on the fake page are then prompted for 2FA codes. These codes are immediately used to obtain a session token,granting the attackers ⁣continued access even after the user changes their password.

What’s next

Users should remain vigilant and carefully inspect all emails, especially those requesting login information. Always verify the legitimacy of​ a website ⁣before entering⁣ credentials, and enable multi-factor ⁢authentication using an authenticator app where possible.