A Vietnamese threat actor group has compromised approximately 30,000 Facebook accounts through a phishing campaign leveraging Google AppSheet as a relay infrastructure. Guardio researchers designated the operation AccountDumpling. The attackers abused AppSheet, Google's no-code application platform, to distribute phishing emails targeting Facebook credentials. Once harvested, the stolen accounts were monetized through an illicit storefront operated by the threat actors.
The abuse of legitimate cloud platforms for phishing distribution represents an evasion technique that bypasses traditional email filters. Google AppSheet's trusted reputation likely increased email deliverability and user trust in malicious messages. The scale of compromise at 30,000 accounts indicates sustained operational success and suggests weak detection by Facebook's security systems during the initial compromise window.
Defenders should implement email authentication controls including DMARC, SPF, and DKIM to reduce spoofing. Organizations should monitor for phishing emails originating from legitimate cloud platforms, as threat actors increasingly pivot toward services with established trust relationships. Facebook users should enable two-factor authentication immediately. Security teams tracking this activity should flag Google AppSheet emails containing credential-harvesting links as part of detection rule improvements.