Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign

HomeCyber Security News Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign By Dhivya May 2, 2026 A sophisticated cybercriminal operation dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts worldwide. Discovered by Guardio Labs, this Vietnamese-linked campaign abuses Google’s AppSheet platform to bypass traditional email security filters. By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials and identity documents. These stolen Facebook Business accounts are subsequently monetized or resold back to victims through an illicit storefront. The foundation of this campaign relies on hijacking platform trust rather than spoofing domains. The threat actors use Google AppSheet, a legitimate no-code app-building service, to distribute malicious notifications. Email phishing (Source: Guard Labs) Because these emails are sent directly from Google servers using the address noreply@appsheet.com, they easily pass SPF, DKIM, and DMARC authentication checks. Account Dumpling (Source: Guard Labs) Security defenders and spam filters consistently wave these messages through since Google genuinely owns the sending infrastructure. This forces victims to rely entirely on identifying the deceptive content within the message itself. Attack and Evasion Methodologies The operation is highly modular, employing four distinct phishing clusters to target victims based on different psychological triggers. Cluster Type Lure Strategy Hosting Platform Technical Features Policy Violation Fake Facebook Help Center notices threatening permanent account disablement  Netlify  HTTrack cloning artifacts, unique subdomains to evade blocklists, serverless functions for data exfiltration  Reward Promise Invitations for Blue Badge verification or exclusive advertiser rewards  Vercel  Unicode obfuscation in preheaders, fake reCAPTCHA barriers, live credential validation scripts  Live Control Urgent Meta notices disguised as a clean, single-image notification  Google Drive (Canva PDFs)  WebSocket-based live phishing panels enabling real-time, human-in-the-loop interaction  Social Engineering Fake senior job offers from prominent tech companies like Meta and Apple  Off-platform communication channels  Cyrillic homoglyphs in sender display names, pivoting to live conversations to slowly build trust  Behind the sophisticated front-end lures, the AccountDumpling operation relies entirely on Telegram bots for its command-and-control exfiltration. Telegram Phishing Campaign(Source: Guard Labs) Stolen credentials, two-factor authentication codes, dates of birth, and government-issued ID photos are instantly routed to private Telegram channels. Operators actively monitor these streams to validate the stolen data and execute account takeovers in real time. Telemetry from the recovered bot infrastructure indicates roughly 30,000 victim records have been processed. Geographic analysis reveals that 68.6 percent of the targeted individuals and businesses are located in the United States. Canva Generated Phishing (Source: Guard Labs) Guardio Labs successfully traced the core of the operation to a Vietnamese threat actor through a critical operational security failure. Phishing Campaign (Source: guardLabs) A Canva-generated PDF used in the third attack cluster retained its author metadata, exposing the real name “PHẠM TÀI TÂN”. Investigators connected this name to a public business persona in Vietnam that actively advertises Facebook account recovery and security services. This reveals a circular criminal economy in which attackers steal valuable business assets, use them to run fraudulent campaigns, and then attempt to sell recovery services back to the original victims. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Dhivyahttps://cybersecuritynews.com/ Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Trending News AI Coding Agent Powered by Claude Opus 4.6 Deletes Production Database in 9 Seconds New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials Cursor AI Extension Access Developer Tokens Leads to Full Credential Compromise Lazarus Hackers Attacking macOS Users With ‘Mach-O Man’ Malware Kit Vimeo Confirms Data Breach – Hackers Accessed Users Database Latest News Cyber Attack News Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability Cyber Security News Multiple Exim Mail Server Vulnerabilities Leads to Crash with Malicious DNS data Cyber Security News Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace Cyber Security News cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised Press Release Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations