Since March 2025, the KnowBe4 Threat Labs team has observed a surge in phishing attacks that exploit Google’s AppSheet platform to launch a highly targeted, sophisticated campaign impersonating social media platform giant Meta.
Utilizing state-of-the-art tactics such as polymorphic identifiers, advanced man‑in‑the‑middle proxy mechanisms and multi-factor authentication bypass techniques, the attackers aim to harvest credentials and two-factor authentication (2FA) codes, enabling real-time access to social media accounts.
The largest spike since March occurred on April 20th 2025, where 10.88% of all global phishing emails identified and neutralized by KnowBe4 Defend were sent from AppSheet. Of these, 98.23% impersonated Meta and the remaining 1.77% impersonated PayPal.
Phishing Campaign Overview
All attacks analyzed in this campaign were identified and neutralized by KnowBe4 Defend, with further investigation conducted by our Threat Labs team.
Attackers exploited AppSheet, a trusted Google-owned platform, and its workflow automation to deliver phishing emails at scale, enabling large-scale, hands-free distribution. These emails originated from noreply@appsheet.com, a legitimate domain, enabling them to bypass Microsoft and Secure Email Gateways (SEGs) that rely on domain reputation and authentication checks (SPF, DKIM, DMARC).
In addition to leveraging a legitimate domain, this campaign also impersonated Meta (Facebook), using forged branding and urgent language—such as warnings about account deletion—to pressure recipients into taking immediate action. The use of a trusted brand like Meta helps lower suspicion and increase user engagement, making the phishing emails and the subsequent credential harvesting site appear more credible.
Example of a Phishing Email Sent Through AppSheet
Step 1: The Initial Phishing Email
Screenshot of phishing email impersonating Meta, sent through AppSheet with KnowBe4 anti-phishing banners applied
The example above is a phishing email sent through AppSheet that impersonates Meta. Posing as a message from the “Facebook Support Team,” the email leverages AppSheet’s legitimate sender address—noreply@appsheet.com—to bypass common email authentication protocols such as SPF, DKIM, and DMARC.
This not only helps the message avoid technical detection but also increases its perceived legitimacy in the eyes of the recipient, as it appears to come from a trusted platform.The phishing email mimics Meta’s branding, including a convincing email signature, to appear authentic—despite all footer links being non-functional.
In addition, the campaign relies heavily on social engineering tactics to trick recipients into clicking a malicious link, presented as a “Submit an Appeal” button. The email falsely claims that the recipient’s social media account is scheduled for deletion due to a violation, using emotive language and a tight 24-hour deadline to create a sense of urgency. Subject lines like “Violating intellectual property rights has caused your account to be deleted” are used to heighten anxiety and increase the likelihood of user interaction.
To further evade detection and complicate remediation, the attackers leverage AppSheets’ functionality for generating unique IDs, shown as Case IDs in the body of the email. The presence of unique polymorphic identifiers in each phishing email ensures every message is slightly different, helping them bypass traditional detection systems that rely on static indicators such as hashes or known malicious URLs. It also poses a challenge for IT teams, as the lack of consistent identifiers makes widespread remediation and filtering significantly more difficult.
Step 2: Credential Harvesting
If the recipient clicks the link in the phishing email, they are directed to a sophisticated site designed to steal their credentials and 2FA codes. The page initially displays an animated META logo and features a highly detailed design that mimics the legitimate Facebook interface, intended to lower the recipient's suspicion. Once the page fully loads, it falsely claims that the user’s account is at risk of deletion and provides a single opportunity to appeal.
The site is hosted on Vercel, a reputable platform known for hosting modern web applications. This strategic choice enhances the site’s credibility, helping the malicious link bypass many traditional URL reputation checks.
Screenshot of malicious phishing site that impersonates Meta for Business
Screenshot of credential harvesting forms impersonating Meta
Screenshot of 2FA harvesting form that impersonates Meta
The phishing site employs several advanced tactics to maximize the effectiveness of the attack and ensure successful credential theft.
One such method is the double prompt for credentials. After the user enters their password and 2FA code, the site falsely claims that the first attempt was incorrect, prompting the user to try again. This serves multiple purposes: it increases the likelihood of capturing accurate information by encouraging users to re-enter data they believe was mistyped; it introduces confusion and urgency, reducing the victim’s ability to think critically; and it provides data redundancy, allowing the attacker to compare entries and confirm the validity of the credentials before using them.
In addition, the phishing site appears to operate as a man-in-the-middle proxy. When the user submits their login information and 2FA code, the site immediately relays this data to the legitimate service—such as Facebook—in real time. This enables the attacker to hijack the session and obtain a valid session token, effectively bypassing two-factor authentication and granting them immediate access to the user’s account.
Detecting Advanced Phishing Threats
The exploitation of AppSheet is part of a broader trend of using legitimate services to bypass traditional email security detections; a pattern our Threat Labs team has observed in recent analyzes of other services like Microsoft, Google, QuickBooks, and Telegram.
This tactic, in combination with sophisticated impersonation, man-in-the-middle techniques and social engineering makes this campaign highly advanced and engineered to bypass detection technologies used in Microsoft 365 and SEGs.
As a result, many organizations are turning to Integrated Cloud Email Security products (such as KnowBe4 Defend) that leverage AI to detect advanced phishing threats and prevent employees from interacting with malicious hyperlinks and attachments. Additionally, threat-based awareness and training, including flipping real phishing emails into training simulations (e.g. via KnowBe4 PhishER), educates employees on the phishing attacks they’re most likely to face.
With KnowBe4 Defend you can:
