Imagine receiving an official-looking email from your bank — but it's actually a scammer pretending to be your bank. That's phishing. Now imagine the scammer sent that email through your bank's own notification system, so it looks 100% legitimate. That's exactly what happened here.
Attackers used Google AppSheet — a real Google product — to send fake emails that appeared to come from Meta (the company behind Facebook). Because the email came from a Google address, spam filters let it through. Victims clicked a link, entered their Facebook login details on a fake page, and lost access to their accounts. Those accounts were then sold online for profit. In total, roughly 30,000 accounts were compromised this way.
Introduction: When Google's Infrastructure Becomes a Criminal Relay
In May 2026, cybersecurity firm Guardio disclosed a large-scale phishing operation that compromised approximately 30,000 Facebook accounts. The campaign, codenamed AccountDumpling, was not a blunt, spray-and-pray attack. It was a structured, evolving criminal enterprise with real-time operator panels, multiple lure variants, and an illicit storefront selling stolen credentials back to victims.
What made this campaign particularly damaging was its abuse of Google AppSheet's legitimate notification infrastructure. Phishing emails arrived from noreply@appsheet.com — a genuine Google sender address — giving them the credibility needed to slip past enterprise spam filters and email security gateways. This technique maps directly to MITRE ATT&CK technique T1566.002 (Spearphishing Link), combined with T1583.006 (Acquire Infrastructure: Web Services), where attackers repurpose trusted cloud services as delivery mechanisms.
Why do attacks like this succeed? Because they exploit trust in brand, not just technical vulnerabilities. When your email security tool sees a Google sender address, it assumes legitimacy. The attackers knew this — and built their entire campaign around it.
How the AccountDumpling Campaign Worked: Attack Chain Breakdown
The Entry Point: Panic-Driven Email Lures
The attacks began with phishing emails targeting Facebook Business account owners, falsely claiming to be from Meta Support and urging recipients to submit an appeal or risk permanent account deletion. The emails were sent via Google AppSheet's notification system, meaning the sender domain passed standard authentication checks.
The false sense of urgency directed users to fake web pages designed to harvest their credentials. This is a textbook application of T1204.001 (User Execution: Malicious Link) — where the attacker doesn't need to exploit software; they exploit human psychology instead.
Over several weeks, the campaign rotated through multiple lure themes to maintain effectiveness:
Lure categories observed:
- Account disablement warnings
- Copyright infringement complaints
- Verification review requests
- Executive recruitment offers (fake job postings)
- Facebook login alerts
Important: This rotation of lure types is deliberate. It prevents defenders from blocking a single template and allows the campaign to keep operating even when specific phishing pages are taken down.
Four Distinct Attack Clusters
Guardio identified four main clusters within the campaign: Netlify-hosted fake Facebook help center pages that collected dates of birth, phone numbers, and government-issued ID photos, forwarding the data to Telegram; fake blue badge evaluation pages on Vercel that bypassed a bogus CAPTCHA before harvesting credentials, 2FA codes, and business details; Google Drive-hosted PDF documents masquerading as account verification instructions that collected passwords, 2FA codes, government ID photos, and even browser screenshots via html2canvas; and fake job offer lures impersonating brands like WhatsApp, Meta, Adobe, and Apple.
| Attack Cluster | Hosting Platform | Data Harvested | Exfiltration Method |
|---|---|---|---|
| Fake Help Center Pages | Netlify | DOB, phone, gov ID | Telegram channel |
| Blue Badge Evaluation | Vercel | Credentials, 2FA, business info | Telegram channel |
| Verification PDF Lure | Google Drive / Canva | Passwords, 2FA, browser screenshots | Telegram channel |
| Fake Job Offers | Attacker-controlled sites | Contact info, session data | Attacker infrastructure |
Why Trusted Platform Abuse Is a Growing Detection Problem
The Spam Filter Bypass Problem
Traditional email security tools — Secure Email Gateways (SEGs), spam filters — rely heavily on sender reputation, domain age, and SPF/DKIM/DMARC records. When an email originates from appsheet.com, all three checks pass cleanly. The email is from Google. It does have valid authentication headers. The malicious content is just the link inside.
This technique is increasingly common. Similar abuse has been observed with Dropbox notifications, SharePoint sharing alerts, and DocuSign delivery emails. In the CIS Controls framework (Control 9: Email and Web Browser Protections), defenders are advised to implement content inspection beyond sender verification — but many organizations stop at authentication checks.
Pro Tip: Configure your email security platform to flag or quarantine messages that contain links to newly registered domains, even when the sender is a trusted cloud service. The sender address and the link destination are two different trust surfaces — inspect both.
Telegram as the Data Collection Backend
All three primary clusters used Telegram channels to receive stolen data in real time. This is operationally efficient for attackers: Telegram requires no server infrastructure, provides encryption, and is accessible globally. From a SOC detection standpoint, outbound HTTPS traffic to api.telegram.org from a phishing page is a meaningful indicator of compromise (IOC) — but it's rarely blocked at the perimeter because Telegram is a legitimate application.
The Threat Actor Profile and Criminal Business Model
Attribution: Vietnamese Digital Marketing Front
Metadata from PDF documents generated via a free Canva account listed a Vietnamese name as the files' author, and further open-source intelligence led to the discovery of a website offering digital marketing services.
The Telegram channels associated with the first three clusters held approximately 30,000 victim records, with most victims located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico — many of whom were locked out of their own accounts.
This fits a documented pattern of Vietnamese-origin threat actors targeting Facebook Business accounts. These actors have historically used malware like PXA Stealer and fake AI tool ads to harvest Meta credentials. The AccountDumpling campaign represents an evolution: no malware required, just infrastructure abuse and social engineering.
The Criminal-Commercial Loop
Security researcher Shaked Chen described it as "a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back."
Stolen Facebook Business accounts are valuable commodities. They carry advertising credit, verified payment methods, and brand reputation. Attackers sell access to these accounts on underground markets, where buyers use them to run fraudulent ad campaigns — often targeting other Facebook users. The cycle is self-reinforcing.
| Stolen Asset | Underground Market Value | Why It's Valuable |
|---|---|---|
| Facebook Business Account | High | Ad credit, payment methods, brand trust |
| 2FA Codes + Credentials | Medium-High | Enables full account takeover |
| Government ID Photos | Medium | Identity fraud, account recovery abuse |
| Browser Screenshots | Variable | Reveals session tokens, saved passwords |
Detection, Response, and Mitigation
What SOC Teams Should Watch For
Organizations running Facebook Business accounts — especially those managing significant ad spend — should treat this as a targeted threat, not a generic phishing risk.
Detection indicators:
- Emails from
noreply@appsheet.comcontaining links to Netlify, Vercel, or Google Drive URLs that redirect elsewhere - Outbound requests to
api.telegram.orgfrom browser sessions on corporate devices - Login attempts to Facebook Business Manager from unrecognized IP addresses shortly after an employee receives an "urgent" Meta notification
- PDF downloads from Google Drive leading to external credential-harvesting pages
Mitigation Controls Mapped to Frameworks
| Control | NIST CSF Function | CIS Control | Risk Reduced |
|---|---|---|---|
| MFA on all Meta Business accounts | Protect | CIS 6 | Account takeover even after credential theft |
| Email link sandboxing | Detect | CIS 9 | Identification of malicious redirect chains |
| Security awareness training | Protect | CIS 14 | Reduces susceptibility to urgency lures |
| Canva/Google Drive URL inspection | Detect | CIS 9 | Catches hosted phishing documents |
| Passkeys / hardware MFA tokens | Protect | CIS 6 | Defeats 2FA bypass via real-time phishing |
Important: TOTP-based 2FA (like Google Authenticator) is not sufficient protection against real-time phishing proxies. Attackers in this campaign captured 2FA codes in transit and used them immediately. Hardware security keys (FIDO2/WebAuthn) are not susceptible to this technique because the key binds to the legitimate domain — a fake site cannot replicate it.
Key Takeaways
- Verify sender intent, not just sender identity. A legitimate sender domain doesn't mean the email's purpose is legitimate — inspect link destinations independently.
- Upgrade 2FA to hardware tokens or passkeys for any account tied to ad spending or business-critical data; TOTP codes can be captured in real time.
- Monitor Telegram API traffic from corporate endpoints; it's a common exfiltration channel in credential-harvesting campaigns.
- Treat Facebook Business accounts as enterprise assets — apply the same access controls, monitoring, and incident response procedures you'd apply to internal systems.
- Review who has admin access to your Meta Business Manager regularly; compromised accounts often go unnoticed until fraudulent ad charges appear.
- Run tabletop exercises that include social engineering scenarios targeting your marketing and advertising teams, who are frequent targets of Meta-themed lures.
Conclusion
The AccountDumpling campaign is a clear demonstration of how threat actors exploit the trust economy that enterprise security tools have built around major cloud platforms. When attackers send phishing emails through Google's own infrastructure, they're not breaking into Google — they're borrowing Google's credibility. The technical sophistication here isn't in the malware (there is none); it's in the operational design: rotating lures, multiple hosting platforms, real-time data collection via Telegram, and a criminal marketplace that monetizes every stolen account.
For security teams, the lesson is to stop treating trusted sender domains as a security boundary. The boundary is the link destination, the credential collection behavior, and the urgency framing. Under NIST CSF's Detect function, behavioral and contextual indicators matter more than authentication headers when the attacker is authenticating legitimately.
If your organization manages Facebook Business accounts, the immediate next step is an access audit: who has admin roles, what MFA method protects those accounts, and whether your security awareness training covers Meta-themed lures specifically. That audit takes an afternoon. Recovering 30,000 compromised accounts takes considerably longer.
Frequently Asked Questions
Why couldn't spam filters catch these phishing emails?
The emails were sent through Google AppSheet's legitimate notification system, using a genuine Google sender address (noreply@appsheet.com). Most spam filters check whether the sender domain is authentic — and in this case, it was. The malicious content was only the link inside the email, which pointed to attacker-controlled pages. Filters that inspect link destinations in real time have a better chance of catching this, but many organizations don't have that capability configured.
What made this campaign particularly dangerous compared to typical phishing? Most phishing campaigns are static — one template, one fake site, one wave of emails. AccountDumpling was an operational system with multiple lure types, several hosting platforms, real-time data collection, and a criminal storefront. When one phishing page was taken down, another variant was already running. That operational resilience is what allowed it to compromise around 30,000 accounts.
Is enabling 2FA on my Facebook account enough protection? Standard time-based 2FA (like a six-digit code from an authenticator app) is not sufficient against real-time phishing. Attackers in this campaign collected 2FA codes from victims immediately and used them before they expired. Hardware security keys (FIDO2/WebAuthn) are significantly more resistant because they cryptographically verify the site's domain — a fake site cannot trigger a valid hardware key response.
How are stolen Facebook Business accounts monetized? Stolen accounts are sold on underground marketplaces, often to buyers who want access to existing advertising credit, verified payment methods, and established account reputation. Buyers then run fraudulent ad campaigns — sometimes promoting scams, sometimes targeting other users — using the stolen account's credibility to avoid immediate suspension.
What should I do if I think my Facebook Business account was compromised? Immediately attempt to recover access through Meta's official account recovery process at facebook.com/hacked. Revoke all active sessions from the Security Settings panel, change your password, and switch to a hardware security key for 2FA if possible. If your account managed an ad account with payment methods attached, notify your payment provider about potential unauthorized charges and review recent ad activity for campaigns you didn't create.
Enjoyed this article?
Subscribe for more cybersecurity insights.