A Vietnamese-linked threat operation dubbed AccountDumpling by Guardio has compromised approximately 30,000 Facebook Business accounts by routing phishing emails through Google AppSheet, causing them to originate from the legitimate noreply@appsheet.com address and bypass enterprise spam filters. The campaign targets Facebook Business account owners with fake Meta Support termination notices and funnels stolen credentials to Telegram-based collection bots for resale.
// 01 AccountDumpling Phishing: What We Know So Far
The attack chain abuses legitimate platform functionality rather than a software vulnerability — there is no CVE associated with this campaign.
Phishing emails are sent through Google AppSheet’s notification infrastructure, meaning they arrive from noreply@appsheet.com, a Google-controlled domain with strong DMARC, DKIM, and SPF alignment. The emails claim to be from Meta Support, warning recipients that their Facebook Business account faces permanent deletion unless they submit an appeal immediately. The urgency framing is designed to cause recipients to act without pausing to verify the sender context.
Victims who click through land on credential-harvesting pages that mimic Meta’s account appeal workflow. Submitted credentials and session tokens are captured in real time by Telegram bots and streamed to attacker-controlled channels. The stolen accounts are sold through an illicit storefront operated by the threat actors. In a secondary monetization loop, the attackers also offer “account recovery” services to victims — charging a fee to return an account they themselves stole.
Attribution is based on metadata from a Google Drive-hosted PDF used in the campaign, which identifies a Vietnamese national named “Phạm Tài Tân” — a persona linked to online offers of Facebook account recovery services. Geographic distribution of victims skews heavily toward the United States (approximately 68%), with the remainder across Europe, Asia, and the Americas. Guardio, which published the original research, has codenamed the operation AccountDumpling.
// 02 Why AccountDumpling Phishing Matters
This campaign represents a maturation of the “trusted platform abuse” technique, where attackers leverage the sending reputation of legitimate cloud services to defeat email security controls. AppSheet is a Google-owned no-code application platform; emails from its notification infrastructure carry the full trust chain of Google’s mail infrastructure. Most secure email gateways and spam filters will not flag or quarantine them.
The specific targeting of Facebook Business accounts is deliberate. Business accounts carry advertising credits, audience data, customer payment methods, and the ability to manage paid social campaigns. A compromised Business Manager account can result in unauthorized ad spend accumulating rapidly — sometimes thousands of dollars within hours — before the breach is detected.
The monetization model — steal, resell, and optionally “recover” for a fee — indicates a mature criminal operation rather than opportunistic account harvesting. The use of Telegram infrastructure for real-time credential collection means stolen sessions are acted upon before the victim has any chance to revoke them.
// 03 AccountDumpling Phishing: What You Should Do Now
- Enforce phishing-resistant MFA on all Facebook Business accounts. FIDO2 hardware keys or passkeys eliminate adversary-in-the-middle (AiTM) credential relay even when an employee lands on a convincing phishing page. SMS-based OTP does not stop this type of attack — the token is captured in real time and relayed before it expires.
- Review Business Manager login activity now. Navigate to Business Settings → Security Center → Recent Logins. Look for unfamiliar IP addresses, geolocations outside your organization’s normal operating regions, and session tokens generated outside business hours.
- Restrict Business Manager access using least privilege. Revoke admin-level roles from any account that does not require them. Ad managers should not have access to payment settings or user management by default.
- Train employees to distrust any Meta Support email regardless of sender domain. The AppSheet origin makes this campaign unusually convincing. Meta does not use Google AppSheet to manage account appeals. Establish clear policy: any email directing employees to log into Meta via a link should be verified through a separate channel before clicking.
- Create an email filtering rule for noreply@appsheet.com messages containing Facebook-related language. Flag or sandbox these messages for manual review in your email security platform. This is a targeted rule that will not block legitimate AppSheet use in other contexts.
// 04 Detection and Verification Checklist
- Facebook Business Manager: Go to Business Settings → Security Center → Recent Logins. Filter for sessions originating from Southeast Asian IP ranges, residential proxies, or unfamiliar geolocations.
- Active user audit: Business Settings → People. Look for accounts added as Business Manager admins in the past 30 days that were not authorized through your normal provisioning process.
- Ad spend monitoring: Enable billing alerts in Ads Manager. Sudden spikes in Facebook Ads spend that do not correspond to approved campaigns should trigger immediate account access review.
- Secondary admin check: Attackers add a backdoor admin account immediately after compromise to maintain access after a password reset. Confirm all admin-role users in Business Manager are legitimate.
- AppSheet email verification: If your organization does not use Google AppSheet, any email from
noreply@appsheet.comshould be treated as high-suspicion. If you do use AppSheet, verify that any Meta-related content in AppSheet emails is authorized.
— Sources: The Hacker News, SC Media, CyberInsider, NJCCIC
For any query contact us at contact@cipherssecurity.com