In recent months, Facebook Business account owners have been targeted by highly convincing phishing campaigns that exploit Google’s AppSheet platform. Unlike traditional phishing attempts that rely on spoofed domains or broken authentication, these attacks leveraged legitimate Google infrastructure, making them appear trustworthy to even the most cautious recipients. This blog dissects the technical anatomy of the campaign, its evolution, and the broader implications for defenders and businesses.

Trust Inversion: When Authentication Works Against You

Traditionally, defenders rely on email authentication mechanisms like SPF, DKIM, and DMARC to filter malicious traffic. In this case, however, attackers abused Google’s AppSheet notification system to send phishing emails that passed all authentication checks. Delivered from [email protected] and routed through appsheet.bounces.google.com, these emails appeared legitimate, creating a dangerous “trust inversion.” The green checkmarks in email clients reassured recipients, but authentication only proved the platform was genuine—not the message.

Anatomy of the Attack: Four Clusters

The campaign unfolded across four distinct clusters, each with unique lures and technical sophistication:

• Cluster A: Netlify-hosted Facebook Help Center Victims were directed to cloned Facebook appeal pages hosted on Netlify, requesting credentials, personal details, and even government IDs. Unique subdomains ensured blocklists were ineffective, while serverless functions exfiltrated data to Telegram bots.

• Cluster B: Blue Badge Verification Scams These lures promised rewards like account verification. Vercel-hosted pages introduced advanced evasion tactics—Unicode obfuscation, anti-debugging scripts, and multi-round credential confirmation flows—designed to maximize capture and hinder recovery.
• Cluster C: Google Drive PDFs with Live Control Victims opened PDFs hosted on Google Drive, which redirected to real-time phishing panels. Operators could interact live with victims, requesting additional inputs and adapting flows dynamically. This human-in-the-loop model marked a significant escalation.
• Cluster D: Fake Job Offers Simpler but effective, these emails impersonated recruiters from major brands. By shifting conversations off-platform, attackers built trust gradually, bypassing detection and exploiting human psychology.

Telegram Bots: The Exfiltration Backbone

Across clusters, stolen data was funneled into Telegram bots. Obfuscated JavaScript revealed bot tokens and chat IDs, linking phishing kits directly to operators. Analysis uncovered approximately 30,000 victim records, with a majority located in the United States. Administrative access traced back to recurring identities such as “Big Bosss” and “@mansinblack,” highlighting the organized nature of the operation.

Attribution: Vietnamese-Linked Ecosystem

Metadata from Google Drive PDFs exposed a Vietnamese developer, Phạm Tài Tân, whose public persona openly advertised Facebook-related “unlocking” services. Vietnamese-language code artifacts, working-hour patterns, and bot naming conventions reinforced attribution. While some clusters may involve affiliates, the evidence points to a large, modular, Vietnam-based operation where phishing kits, campaigns, and monetization layers are distributed across actors.

From Phishing Campaign to Access Economy

This campaign illustrates a broader shift: phishing is no longer about isolated credential theft. It has evolved into a supply chain economy where stolen accounts are harvested, resold, and repurposed for disinformation, fraud, and identity laundering. Trust signals like verification badges and business reputations have become commodities in underground markets. Once compromised, accounts serve as infrastructure for further abuse, eroding the foundation of digital trust.

Our Opinion

This case underscores a critical reality: attackers are no longer outsiders trying to break in—they are insiders exploiting trusted platforms. By abusing Google AppSheet, Netlify, Vercel, and even Google Drive, they weaponized legitimate services against users. The sophistication of these campaigns demonstrates that phishing has matured into a professionalized ecosystem, complete with modular tooling, monetization strategies, and global targeting.

From a defensive standpoint, this demands a paradigm shift. Relying solely on authentication checks or URL blocklists is insufficient when attackers operate within legitimate infrastructure. Security teams must adopt behavioral detection, anomaly analysis, and proactive threat intelligence to identify abuse patterns. Moreover, platform providers must recognize their role in this ecosystem and implement stricter abuse monitoring.

Ultimately, this campaign is not just about Facebook account hijacking—it is about the commodification of digital trust. As long as trust remains a tradable asset, attackers will continue to exploit it. The challenge for defenders is to rebuild trust signals that cannot be easily hijacked, ensuring that authentication and verification once again serve their intended purpose: protecting users, not deceiving them.