AccountDumpling Campaign: Google AppSheet Social Engineering Relay Detection & Defense

A newly identified operation, codenamed AccountDumpling by Guardio researchers, highlights a sophisticated evolution in social engineering: the abuse of trusted cloud infrastructure as a relay. Threat actors linked to Vietnam have leveraged Google AppSheet—a legitimate no-code application development platform—to distribute phishing emails and host credential-harvesting pages.

This campaign has successfully compromised approximately 30,000 Facebook accounts. The attackers are not merely stealing credentials for immediate fraud; they are monetizing them through illicit storefronts, selling high-value accounts (often with established ad payment history) to other cybercriminals.

For defenders, this represents a critical shift. Traditional security controls often whitelist Google domains, allowing these malicious AppSheet deployments to bypass email gateway filters and web proxies. This post provides the technical intelligence needed to detect, hunt, and remediate this specific threat.

Technical Analysis

Affected Products & Platforms:

Target: Facebook (Business and Personal accounts).
Infrastructure Abused: Google AppSheet (appsheet.com).

Attack Chain & TTPs:

Initial Contact: Victims receive targeted social engineering emails or messages.
The "Relay": The attack vector does not host the phishing kit on a compromised WordPress site or a bulletproof hosting server. Instead, it uses Google AppSheet. Since appsheet.com is a high-reputation Google domain, SSL inspection and URL filtering often categorize it as "Safe" or "Business."
Credential Harvesting: The AppSheet application presents a fake page mimicking a Facebook login or verification interface. When the user enters credentials, the data is exfiltrated to the attacker's infrastructure via the AppSheet backend.
Monetization: Valid credentials are aggregated and sold on underground forums.

Exploitation Status:

Status: Confirmed Active Exploitation (In-the-wild).
Severity: High. While this is not a CVE-based software exploit, it is an active infrastructure abuse campaign with a high success rate due to the implicit trust placed in Google domains.

Detection & Response

This threat requires a shift in mindset: we must treat trusted SaaS platforms with the same scrutiny as unknown domains if they are not part of the approved corporate app catalog. Below are detection mechanisms to identify traffic to and interactions with Google AppSheet in your environment.

Sigma Rules

The following rules identify process execution patterns and network connections associated with browsing Google AppSheet, a behavior that is anomalous in most enterprises unless explicitly adopted for development.

YAML

---
title: AccountDumpling - Suspicious Google AppSheet Network Connection
id: 4a1c9e8b-f3d2-4a5c-9e1f-2b3a4c5d6e7f
status: experimental
description: Detects network connections to Google AppSheet (appsheet.com) from a browser process. This is often associated with the AccountDumpling campaign abusing trusted infrastructure for phishing.
references:
 - https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
author: Security Arsenal
date: 2026/05/12
tags:
 - attack.initial_access
 - attack.social_engineering
 - attack.credential_access
logsource:
 category: network_connection
 product: windows
detection:
 selection:
  DestinationHostname|endswith: '.appsheet.com'
  Image|endswith:
   - '\chrome.exe'
   - '\msedge.exe'
   - '\firefox.exe'
   - '\brave.exe'
 condition: selection
falsepositives:
 - Legitimate use of Google AppSheet for internal business applications
level: medium
---
title: AccountDumpling - DNS Query for AppSheet Infrastructure
id: 5b2d0f9c-0e4a-5b6d-0f2e-3c4b5d6e7f0a
status: experimental
description: Detects DNS queries for appsheet.com. Frequent requests from internal endpoints may indicate ongoing phishing activity.
references:
 - https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
author: Security Arsenal
date: 2026/05/12
tags:
 - attack.initial_access
 - attack.discovery
logsource:
 product: windows
  category: dns_query
detection:
 selection:
  QueryName|contains: '.appsheet.com'
 condition: selection
falsepositives:
 - Authorized use of Google AppSheet
level: low

KQL (Microsoft Sentinel / Defender)

Use this query to hunt for devices communicating with the AppSheet infrastructure. Correlate this with potential Facebook login alerts or risky sign-ins to identify compromise.

KQL — Microsoft Sentinel / Defender

// Hunt for network connections to Google AppSheet
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "appsheet.com"
| extend FullUrl = strcat("https://", RemoteUrl, RequestUrl)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, ActionType
| summarize Count = count() by DeviceName, RemoteUrl
| order by Count desc

Velociraptor VQL

This artifact hunts browser history for visits to AppSheet domains. Since the attack relies on the user visiting a link, forensically validating the user's browser history is the most accurate method to confirm exposure.

VQL — Velociraptor

-- Hunt for AppSheet (AccountDumpling) usage in Chrome History
SELECT * FROM foreach(
    glob(globs="/*", root=pathspec(path="$Env:LOCALAPPDATA\\Google\\Chrome\\User Data")),
    {
        SELECT 
            timestamp(epoch=visit_time/1000000 - 11644473600) as EventTime,
            url,
        FROM parse_chrome_history(filename=OSPath($path))
        WHERE url =~ "appsheet.com"
        LIMIT 100
    }
)

Remediation Script (PowerShell)

If Google AppSheet is not an approved tool in your environment, the following PowerShell script can be used to audit potential exposure by checking recent browser history artifacts or adding a temporary network block. Note: Blocking via hosts file is a temporary containment measure; perimeter blocking is preferred.

PowerShell

# AccountDumpling Response Script
# Checks for recent history of AppSheet usage in Chrome (User must be logged in)
# Adds a temporary hosts file block if -Block switch is used (Requires Admin)

param(
    [switch]$Block
)

$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$BlockDomain = "appsheet.com"

Write-Host "[+] Checking for Google AppSheet history artifacts..." -ForegroundColor Cyan

$HistoryPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
$TempHistory = "$env:TEMP\chrome_history_copy.db"

if (Test-Path $HistoryPath) {
    try {
        Copy-Item $HistoryPath $TempHistory -Force
        $Query = "SELECT url, last_visit_time FROM urls WHERE url LIKE '%$BlockDomain%' ORDER BY last_visit_time DESC LIMIT 5"
        
        # Check for sqlite3 availability or use basic string search if db tools missing
        if (Get-Command sqlite3 -ErrorAction SilentlyContinue) {
            $Results = sqlite3 $TempHistory $Query
            if ($Results) {
                Write-Host "[!] WARNING: AppSheet usage detected:" -ForegroundColor Red
                $Results
            } else {
                Write-Host "[+] No AppSheet history found in Chrome." -ForegroundColor Green
            }
        } else {
            Write-Host "[-] sqlite3 not found. Performing basic string check on History file..." -ForegroundColor Yellow
            $Content = Get-Content $TempHistory -Raw -ErrorAction SilentlyContinue
            if ($Content -match $BlockDomain) {
                Write-Host "[!] WARNING: AppSheet string found in History file." -ForegroundColor Red
            }
        }
        Remove-Item $TempHistory -Force -ErrorAction SilentlyContinue
    }
    catch {
        Write-Host "[-] Error reading Chrome History. Ensure Chrome is closed." -ForegroundColor Red
    }
} else {
    Write-Host "[-] Chrome History not found for current user." -ForegroundColor Gray
}

if ($Block) {
    if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
        Write-Host "[!] Blocking requires Administrator privileges." -ForegroundColor Red
    } else {
        $HostsContent = Get-Content $HostsPath
        if ($HostsContent -notmatch $BlockDomain) {
            Add-Content -Path $HostsPath -Value "127.0.0.1`t$BlockDomain"
            Add-Content -Path $HostsPath -Value "127.0.0.1`twww.$BlockDomain"
            Write-Host "[+] Added block for $BlockDomain to hosts file." -ForegroundColor Green
            Write-Host "[+] Flush DNS cache with 'ipconfig /flushdns' if necessary."
        } else {
            Write-Host "[-] Block for $BlockDomain already exists." -ForegroundColor Gray
        }
    }
}

Remediation

Infrastructure Blocking:
- Immediately update your Secure Web Gateway (SWG) or proxy firewall to block access to appsheet.com unless your organization explicitly uses Google AppSheet for development.
- If you are a Google Workspace customer, use the Context-Aware Access controls to restrict access to AppSheet to specific OUs or IP ranges.
User Awareness & Training:
- Issue a specific security bulletin to users highlighting that attackers are abusing Google services. Educate them to inspect URLs carefully, even if they start with accounts.google.com or end in appsheet.com.
Compromise Assessment:
- Run the PowerShell script above across endpoints to identify users who have visited AppSheet recently.
- For identified users, force a password reset for their Facebook accounts and review recent login activity for unauthorized access.
Multi-Factor Authentication (MFA):
- Enforce MFA on all social media accounts used for business purposes. This is the single most effective control against credential theft.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub