The AppShell Gambit: Abusing Google AppSheet for Credential Harvesting

Just caught the report on Guardio's 'AccountDumpling' operation. It’s a textbook case of attackers abusing legitimate SaaS infrastructure to bypass traditional filters. Essentially, they are using Google AppSheet—a no-code platform—as a phishing relay.

By routing phishing traffic through AppSheet's legitimate domains, the attackers ensure that emails and landing pages pass reputation checks and SPF/DKIM validations. The 30,000 compromised Facebook accounts are likely just the tip of the iceberg since the infrastructure itself is trusted.

The Mechanism

The actors likely host a phishing form that uses AppSheet scripts to capture input and relay it to their backend, or simply use the AppSheet domain to host the intermediary page. This makes URL filtering incredibly difficult; blocking appsheet.com isn't an option for many orgs using Google Workspace.

Detection Strategy

We need to look for behavioral anomalies rather than just signatures. I'm currently working on a query to identify suspicious interactions with AppSheet endpoints that don't match typical internal app usage patterns.

Here is a basic KQL snippet to identify high-frequency requests to AppSheet from a single source, which might indicate an automated harvesting tool or a user interacting with a phishing link:

let AppSheetBase = 'appsheet.com';
let TimeFrame = 1h;
let Threshold = 50;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemoteUrl contains AppSheetBase
| where InitiatingProcessFileName in ('chrome.exe', 'msedge.exe', 'firefox.exe')
| summarize Count = count() by DeviceName, InitiatingProcessAccountName, RemoteUrl
| where Count > Threshold
| project DeviceName, Account, RemoteUrl, Count

This isn't a silver bullet, but it helps spot outliers. Has anyone else started seeing SaaS-to-phishing relays in their environment? How are you handling the balance between blocking malicious abuse and allowing legitimate low-code tool usage?