SOC Prime Bias: Critical

05 May 2026 17:05
newspaper icon guard.io

“AccountDumpling” Hunting Down the Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts

Author Photo
SOC Prime Team linkedin icon Follow
“AccountDumpling” Hunting Down the Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A phishing operation abuses Google AppSheet to send legitimate-looking emails that lure victims to malicious pages hosted on Netlify and Vercel. Those pages collect full Facebook account recovery details and forward them to Telegram bots in real time. The campaign has been linked to a Vietnam-based individual and has already resulted in the compromise of more than 30,000 Facebook accounts. The stolen accounts are then monetized through a storefront that advertises account recovery services.

Investigation

Guardio researchers traced the delivery chain back to AppSheet, identified four separate phishing clusters, and gathered hundreds of malicious hosting URLs. They also extracted Telegram bot tokens and chat IDs, connected the infrastructure to a Canva PDF containing a Vietnamese name, and analyzed the geographic spread of victims. Their research exposed a modular ecosystem in which one group develops the phishing kits, another conducts the campaigns, and a third profits from the stolen account access.

Mitigation

Defenders should block the known malicious Netlify and Vercel subdomains, monitor AppSheet-generated emails that contain suspicious call-to-action links, and detect outbound connections to Telegram bot API endpoints. Organizations should also strengthen validation around Facebook login and recovery workflows and require re-authentication for sensitive recovery actions. Users should be reminded that emails sent through trusted Google services can still be part of a phishing attempt.

Response

Security teams should alert on emails from noreply@appsheet.com that include links to unfamiliar Netlify, Vercel, or shorten.tv domains. DNS lookups for those domains should be correlated with Telegram bot traffic to identify possible exfiltration. If credentials have been stolen, affected users should be forced to reset passwords and any compromised Facebook accounts should be reviewed immediately. Relevant indicators should also be shared with the SOC and external threat intelligence channels.

"graph TB %% Class definitions classDef action fill:#99ccff %% Nodes action_phishing["<b>Action</b> – <b>T1566 Phishing</b><br/>Phishing via Google AppSheet to trick users into revealing credentials or clicking malicious links."] class action_phishing action action_cloud_abuse["<b>Action</b> – <b>T1496.004 Resource Hijacking: Cloud Service Hijacking</b><br/>Abuse of a cloud email service to send authenticated malicious email.<br/><b>Additional Technique</b> – <b>T1021.007 Remote Services: Cloud Services</b><br/>Use of legitimate cloud remote services to carry out malicious activity."] class action_cloud_abuse action action_credential_harvest["<b>Action</b> – <b>T1606 Forge Web Credentials</b><br/>Creation of credentialu2011harvesting pages hosted on Netlify/Vercel.<br/><b>Additional Technique</b> – <b>T1212 Exploitation for Credential Access</b><br/>Exploitation of web platforms to capture user credentials."] class action_credential_harvest action action_gather_info["<b>Action</b> – <b>T1589 Gather Victim Identity Information</b><br/>Collection of victim identity data.<br/><b>Additional Techniques</b> – <b>T1591.002 Gather Victim Org Information: Business Relationships</b><br/>Gathering business relationship details.<br/><b>Additional Technique</b> – <b>T1591.004 Gather Victim Org Information: Identify Roles</b><br/>Identifying victim roles within the organization."] class action_gather_info action action_exfil_telegram["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Exfiltration of data through Telegram bot C2 channel.<br/><b>Additional Technique</b> – <b>T1552.001 Unsecured Credentials: Credentials In Files</b><br/>Harvesting of credentials stored in files."] class action_exfil_telegram action action_facebook_access["<b>Action</b> – <b>T1078 Valid Accounts</b><br/>Use of stolen valid accounts to access Facebook Business resources."] class action_facebook_access action %% Connections action_phishing –>|leads_to| action_cloud_abuse action_cloud_abuse –>|leads_to| action_credential_harvest action_credential_harvest –>|leads_to| action_gather_info action_gather_info –>|leads_to| action_exfil_telegram action_exfil_telegram –>|leads_to| action_facebook_access "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Reconnaissance: The attacker harvests a list of Facebook employee email addresses from public sources.

    2. AppSheet Abuse Setup: Using a compromised Google Workspace account, the attacker creates an AppSheet app that sends email notifications. The app is configured to use the default AppSheet bounce domain appsheet.bounces.google.com.

    3. Phishing Payload: The notification email contains a lure (“Your Facebook password is expiring – reset now”) with a malicious link pointing to a credential‑harvesting page.

    4. Launch Campaign: The attacker triggers the AppSheet workflow, causing the platform to dispatch the crafted email to the target list. The resulting email metadata matches:

      • sender_email = noreply@appsheet.com
      • delivery_domain = appsheet.bounces.google.com

    5. Outcome: The SIEM rule evaluates the incoming log entry, matches both fields, and generates an alert.

  • Regression Test Script: The script below automates steps 2‑4 using the Google Apps Script API to emulate an AppSheet‑style notification. It requires a service‑account JSON with permission to send mail via Gmail API.

    # python 3.x – send a crafted phishing‑style email via Gmail API
import base64, json, sys
from email.mime.text import MIMEText
from google.oauth2 import service_account
from googleapiclient.discovery import build

# ---- Configuration -------------------------------------------------
SERVICE_ACCOUNT_FILE = "service-account.json"   # <-- replace with path
SCOPES = ["https://www.googleapis.com/auth/gmail.send"]
SENDER = "noreply@appsheet.com"
RECIPIENT = "victim@facebook.com"
SUBJECT = "Important: Facebook Account Action Required"
BODY = """
Dear Facebook User,

Our records indicate that your password will expire in 24 hours.
Please reset it immediately by clicking the link below:

https://malicious.example.com/steal?uid=12345

Thank you,
Facebook Security Team
"""
# --------------------------------------------------------------------

credentials = service_account.Credentials.from_service_account_file(
    SERVICE_ACCOUNT_FILE, scopes=SCOPES)

try:
    service = build('gmail', 'v1', credentials=credentials)
    message = MIMEText(BODY, "plain")
    message["to"] = RECIPIENT
    message["from"] = SENDER
    message["subject"] = SUBJECT
    # Add custom header to mimic AppSheet bounce domain
    message["X-Delivery-Domain"] = "appsheet.bounces.google.com"

    raw = base64.urlsafe_b64encode(message.as_bytes()).decode()
    send_body = {"raw": raw}
    result = service.users().messages().send(userId="me", body=send_body).execute()
    print(f"Message sent, ID={result['id']}")
except Exception as e:
    print(f"Error sending email: {e}", file=sys.stderr)
    sys.exit(1)

  • Cleanup Commands: Remove the test message from the sent folder and revoke the service‑account token.

    # PowerShell – delete the test message from Gmail Sent folder using Gmail API
$serviceAccount = "service-account.json"
$scopes = @("https://www.googleapis.com/auth/gmail.modify")
$cred = (Get-Content $serviceAccount | ConvertFrom-Json) | `
        New-Object Google.Apis.Auth.OAuth2.ServiceAccountCredential `
            -ArgumentList ([Google.Apis.Auth.OAuth2.ServiceAccountCredential]::Initializer) `
            -Property @{Scopes = $scopes}
$gmail = New-Object Google.Apis.Gmail.v1.GmailService -ArgumentList $cred

# Retrieve the message ID (replace with actual ID from the send script)
$msgId = "INSERT_MESSAGE_ID_HERE"
$gmail.Users.Messages.Delete("me", $msgId).Execute()
Write-Host "Test email deleted."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free