Full Report
A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a “phishing relay” to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook…
Analysis Summary
# Incident Report: Campaign "AccountDumpling" – Google AppSheet Phishing Relay
## Executive Summary
AccountDumpling is an ongoing Vietnamese-linked phishing operation that leverages Google AppSheet as a "phishing relay" to bypass security filters and compromise Facebook accounts. The campaign has successfully hijacked approximately 30,000 accounts, which are then monetized through an illicit storefront run by the threat actors. The operation is characterized by its use of real-time management panels and advanced evasion techniques to maintain a continuous "criminal-commercial loop."
## Incident Details
- **Discovery Date:** Reported May 04, 2026
- **Incident Date:** Ongoing (observed through May 2026)
- **Affected Organization:** Facebook (Users), Google (AppSheet platform abuse)
- **Sector:** Social Media / Technology
- **Geography:** Vietnam-linked threat actors; Global reach of victims
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing
- **Vector:** Phishing Emails
- **Details:** Attackers distribute phishing emails using Google AppSheet as a relay. By using a legitimate Google domain, the emails are more likely to bypass automated spam and security filters.
### Lateral Movement
- **Details:** Not traditionally applicable in this context; the attackers move from the initial phishing landing page to the victim's Facebook account via credential harvesting.
### Data Exfiltration/Impact
- **Details:** Theft of session cookies and login credentials for approximately 30,000 Facebook accounts. These accounts are then indexed and uploaded to an illicit storefront for resale.
### Detection & Response
- **How it was discovered:** Identified by security researchers at Guardio.
- **Response actions taken:** Guardio released a technical report codenaming the activity "AccountDumpling" to alert the industry and potential victims.
## Attack Methodology
- **Initial Access:** Phishing emails leveraging Google AppSheet.
- **Persistence:** Use of real-time operator panels to manage stolen credentials and maintain access to the "commercial loop."
- **Privilege Escalation:** Not specified; focused on account takeovers.
- **Defense Evasion:** Using Google’s infrastructure (AppSheet) as a trusted relay to mask malicious intent and avoid domain-based blocking.
- **Credential Access:** Credential harvesting through sophisticated phishing kits and real-time operator panels.
- **Discovery:** Identifying high-value or viable Facebook accounts for resale.
- **Lateral Movement:** N/A (Focus is on account hijacking).
- **Collection:** Gathering account data and credentials for thousands of users.
- **Exfiltration:** Sending stolen data back to attacker-controlled "living operation" panels.
- **Impact:** Massive scale account hijacking (30,000+ accounts) and financial gain through illicit sales.
## Impact Assessment
- **Financial:** High for attackers (profitable resale market); High potential loss for users (identity theft, ads manager fraud).
- **Data Breach:** High; estimated 30,000 sets of personal credentials and session data.
- **Operational:** Disruption to Facebook users and illicit use of Google's AppSheet platform.
- **Reputational:** Damage to user trust in social media security and legitimate cloud productivity tools.
## Indicators of Compromise
- **Network indicators:** URLs originating from `appsheet[.]com` used in a phishing context.
- **File indicators:** Not specifically listed in the summary, but associated with Vietnamese-linked phishing kits.
- **Behavioral indicators:** High-volume automated emails from AppSheet directing users to Facebook login-mimicking pages.
## Response Actions
- **Containment measures:** Identification of the phishing relay mechanism.
- **Eradication steps:** Reporting of the specific AppSheet instances to Google for takedown.
- **Recovery actions:** Potential password resets and session terminations for impacted Facebook users.
## Lessons Learned
- **Key takeaways:** Threat actors are increasingly using "Living off the Land" techniques by exploiting trusted SaaS tools like Google AppSheet to bypass traditional email security.
- **What could have been done better:** Enhanced monitoring of AppSheet for unusual email distribution patterns and stricter validation of "phishing relay" behavior on cloud platforms.
## Recommendations
- **Prevention measures:**
- Organizations should implement advanced email security that inspects the *content* of links, even if the root domain (google.com) is trusted.
- Implementation of Multi-Factor Authentication (MFA) on all social media accounts to prevent unauthorized access even if credentials are stolen.
- Security awareness training focusing on the fact that legitimate tools (like Google forms or apps) can be used to host malicious content.