Phishing-as-a-Platform? Hackers Hijack Google AppSheet in Alarming Meta Impersonation Campaign

In an escalating cyber threat that weaponizes trusted infrastructure, hackers have turned Google's low-code AppSheet platform into a launchpad for credential theft at scale—impersonating Meta to dupe victims into surrendering login data and even bypassing two-factor authentication.

KnowBe4 Threat Labs has been tracking the sophisticated phishing operation since March 2025, calling it one of the most advanced campaigns yet to exploit legitimate platforms. On April 20th alone, AppSheet was used in over 10% of global phishing emails blocked by KnowBe4’s Defend system—nearly all masquerading as official Meta communications.

AppSheet: The New Trojan Horse

At the heart of the campaign is AppSheet, Google’s workflow automation tool typically used for building internal apps. Here, it was misused to automate phishing email distribution. Messages came from a verified sender address—noreply@appsheet.com—helping them glide past SPF, DKIM, and DMARC checks, as well as Microsoft’s built-in defenses and many Secure Email Gateways (SEGs).

The emails, crafted with precise Meta branding, warned recipients their Facebook accounts were about to be deleted due to “intellectual property violations.” The subject line, deadline, and bogus “Case ID” worked together to induce panic and prompt immediate clicks on a “Submit an Appeal” button.

From Panic to Proxy

Clicking the link took users to a phishing site hosted on Vercel, a legitimate cloud platform popular among developers. The page emulated Facebook’s UI, complete with animation, and requested not just a password—but also the user’s 2FA code. After entering their details, victims were asked to “try again,” reinforcing urgency and accuracy.

This phishing site operated as a man-in-the-middle proxy, instantly relaying credentials and 2FA tokens to the real Meta servers. That enabled the attacker to hijack the user’s session in real time—bypassing MFA protections altogether.

Polymorphic Phishing at Scale

Each phishing email included a unique “Case ID,” generated using AppSheet’s dynamic content capabilities. That polymorphism—a key feature of modern phishing kits—makes the emails harder to detect via traditional rule-based systems that rely on known URLs or signature hashes.

KnowBe4’s analysts warn that such polymorphic payloads may become standard in cloud-native phishing. Combined with hands-free distribution and reputation hijacking, even mid-level cybercriminals now have access to nation-state-grade techniques.

The New Frontline: Cloud-Native Threats

This campaign is just the latest in a disturbing trend: attackers leveraging trusted cloud services to sidestep traditional defenses. In recent months, KnowBe4 has observed similar abuse of platforms like QuickBooks, Microsoft Forms, and Telegram bots.

To stay ahead, KnowBe4 advocates for integrated, AI-driven email security solutions that can detect threats missed by SEGs and Microsoft 365, such as its Defend platform. The company also promotes phishing awareness through real-world training using actual threat data, helping employees recognize and resist increasingly sophisticated lures.

As attackers grow bolder in exploiting the trust model of the internet itself, defending against phishing will require more than just better filters—it’ll demand a fundamental shift in how we think about “legitimacy” in digital communication.