Since March 2025, the KnowBe4 Threat Labs team has observed a surge in phishing attacks that exploit Google’s AppSheet platform to launch a highly targeted, sophisticated campaign impersonating social media platform giant Meta.
The attackers aim to harvest credentials and two-factor authentication codes by utilising state-of-the-art tactics such as polymorphic identifiers, advanced man‑in‑the‑middle proxy mechanisms and multi-factor authentication bypass techniques, enabling real-time access to social media accounts.
The largest spike since March occurred on April 20, 2025, where 10.88% of all global phishing emails identified and neutralised by KnowBe4 Defend were sent from AppSheet. Of these, 98.23% impersonated Meta and the remaining 1.77% impersonated PayPal.
Attackers exploited AppSheet, a Google-owned platform, and its workflow automation to deliver phishing emails at scale, enabling large-scale, hands-free distribution. These emails originated from noreply@appsheet.com, a legitimate domain, enabling them to bypass Microsoft and secure email gateways that rely on domain reputation and authentication checks (SPF, DKIM, DMARC).
In addition to leveraging a legitimate domain, this campaign also impersonated Meta (Facebook), using forged branding and urgent language, such as warnings about account deletion, to pressure recipients into taking immediate action.
The use of a trusted brand like Meta helps lower suspicion and increase user engagement, making the phishing emails and the subsequent credential harvesting site appear more credible.
This not only helps the message avoid technical detection but also increases its perceived legitimacy in the eyes of the recipient, as it appears to come from a trusted platform. The phishing email mimics Meta’s branding, including a convincing email signature, to appear authentic despite non-functional footer links.
In addition, the campaign relies heavily on social engineering tactics to trick recipients into clicking a malicious link, presented as a ‘Submit an Appeal’ button. The email falsely claims that the recipient’s social media account is scheduled for deletion due to a violation, using emotive language and a tight 24-hour deadline to create a sense of urgency. Subject lines like ‘Violating intellectual property rights has caused your account to be deleted’ are used to heighten anxiety and increase the likelihood of user interaction.
To further evade detection and complicate remediation, the attackers leverage AppSheets’ functionality for generating unique IDs, shown as Case IDs in the body of the email. The presence of unique polymorphic identifiers in each phishing email ensures every message is slightly different, helping them bypass traditional detection systems that rely on static indicators such as hashes or known malicious URLs. It also poses a challenge for IT teams, as the lack of consistent identifiers makes widespread remediation and filtering significantly more difficult.
If the recipient clicks the link in the phishing email, they are directed to a sophisticated site designed to steal their credentials and 2FA codes. The page initially displays an animated META logo and features a highly detailed design that mimics the legitimate Facebook interface, intended to lower the recipient’s suspicion. Once the page fully loads, it falsely claims that the user’s account is at risk of deletion and provides a single opportunity to appeal.
The site is hosted on Vercel, a reputable platform known for hosting modern web applications. This strategic choice enhances the site’s credibility, helping the malicious link bypass many traditional URL reputation checks.
The phishing site employs several advanced tactics to maximise the effectiveness of the attack and ensure successful credential theft.
One such method is the double prompt for credentials. After the user enters their password and 2FA code, the site falsely claims that the first attempt was incorrect, prompting the user to try again. This serves multiple purposes: it increases the likelihood of capturing accurate information by encouraging users to re-enter data they believe was mistyped; it introduces confusion and urgency, reducing the victim’s ability to think critically; and it provides data redundancy, allowing the attacker to compare entries and confirm the validity of the credentials before using them.
In addition, the phishing site appears to operate as a man-in-the-middle proxy. When the user submits their login information and 2FA code, the site immediately relays this data to a legitimate service, such as Facebook, in real-time. This enables the attacker to hijack the session and obtain a valid session token, effectively bypassing two-factor authentication and granting them immediate access to the user’s account.
The exploitation of AppSheet is part of a broader trend of using legitimate services to bypass traditional email security detections; a pattern our Threat Labs team has observed in recent analyses of other services like Microsoft, Google, QuickBooks, and Telegram.
This tactic, in combination with sophisticated impersonation, man-in-the-middle techniques and social engineering makes this campaign highly advanced and engineered to bypass detection technologies used in Microsoft 365 and SEGs.
As a result, many organisations are turning to integrated cloud email security products that leverage AI to detect advanced phishing threats and prevent employees from interacting with malicious hyperlinks and attachments.
Additionally, threat-based awareness and training, including flipping real phishing emails into training simulations, educating employees on the phishing attacks they’re most likely to face.
