Bypassing Filters with AppSheet: The 'AccountDumpling' Analysis

Just saw the Guardio report on 'AccountDumpling,' and it’s a textbook example of how threat actors are leveraging trusted SaaS platforms to bypass email reputation filters. By using Google AppSheet as a phishing relay, this Vietnamese-linked operation ensures their emails originate from Google's infrastructure, making them incredibly difficult to block with standard ESP filtering.

The technical flow here is nasty. The attackers aren't sending the phish directly; they're triggering AppSheet workflows that deliver emails appearing to be legitimate notifications or service alerts. The link redirects the victim to the credential harvester.

Since we can't just block appsheet.com or Google domains wholesale, detection relies on analyzing the email headers and the context of the links. I've been drafting a query to catch these anomalies in our logs by looking for specific sender patterns combined with high-risk URL redirection.

Here is a KQL snippet to help identify potential relays in your Microsoft Sentinel or O365 logs:

EmailEvents
| where SenderFromAddress endswith "@appsheet.googleusercontent.com"
| extend UrlCount = array_length(Urls)
| where UrlCount > 0
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, Urls
| where Subject contains "account" or Subject contains "verify"

Has anyone else observed 'living-off-the-land' tactics like this with other automation platforms (e.g., Power Automate or Zapier)? How are you handling the false positive risk when blocking legitimate automation traffic?