Here's what should worry you about the latest phishing attack: it didn't use some sketchy domain or obvious fake website. Instead, cybercriminals compromised 30,000 Facebook accounts by weaponizing Google AppSheet — a legitimate business tool that millions of companies trust. The attackers essentially turned Google's own infrastructure into their phishing headquarters.

Key Takeaways

  • Cybercriminals compromised 30,000 Facebook accounts using Google's own AppSheet platform
  • The attack exploited users' trust in both Google and Meta domains
  • Stolen credentials are now being sold on underground markets

How the Attack Worked

The scheme was elegantly simple. Attackers used Google AppSheet — a no-code platform designed for creating business applications — to build convincing fake Meta login pages. They then sent phishing emails that appeared to come from Facebook or Meta, complete with official branding and professional messaging.

When victims clicked the malicious links, they landed on fraudulent login pages that looked legitimate for a crucial reason: they were hosted on Google's infrastructure. To most users, a URL containing Google's domain feels safe. Browser warnings stayed quiet. Email filters let the messages through.

The scale suggests this wasn't some amateur operation. These attackers understood exactly how institutional trust works in cybersecurity — and how to exploit it.

Why This Changes the Game

What most coverage misses is how fundamentally this shifts the phishing landscape. For years, security training has taught a simple rule: check the domain. Suspicious URLs are red flags. But what happens when the URL isn't suspicious at all?

Red lettering spells out technik on a corrugated metal wall.
Photo by Heliao / Unsplash

Google AppSheet's legitimate business purpose became its weakness. The platform exists to help organizations quickly deploy web applications without coding expertise. That same accessibility let attackers create convincing phishing sites in minutes, not days.

This represents an evolution we should have seen coming. Why build your own infrastructure when you can rent trust from Google? Why fight security systems when you can hide behind them?

The implications extend far beyond this single campaign.

What We Still Don't Know

The available reports confirm that 30,000 Facebook accounts were compromised and the stolen credentials are being sold on underground markets. But significant details remain unclear, and those gaps matter.

We don't know the attack's timeline, whether it's still ongoing, or which geographic regions were targeted. There's no information about specific countermeasures from Google or Meta. The attackers' methods for validating stolen credentials remain undisclosed, as does any intelligence about their identity or location.

These aren't just missing details — they're the pieces that would help organizations understand their actual risk exposure.

The Trust Problem

This incident exposes something deeper than a successful phishing campaign. It reveals how brittle our security assumptions have become. Employees are trained to trust content from established platforms. Security systems are configured to give Google domains the benefit of the doubt.

That trust isn't wrong — it's necessary for modern business to function. But it creates blind spots that sophisticated attackers are now exploiting systematically.

For businesses using Google Workspace and similar platforms, this demands a rethink of security awareness training. The traditional advice about checking URLs becomes meaningless when the URLs are legitimately hosted on trusted infrastructure. Organizations need new frameworks for evaluating suspicious requests, regardless of their apparent source.

But the bigger question is platform responsibility. Should Google be reviewing applications deployed through AppSheet for potential abuse?

What Comes Next

Security teams should expect copycat attacks leveraging other trusted business platforms. The success of this AppSheet campaign just proved the concept works — and there are dozens of similar no-code and low-code platforms that could be weaponized the same way.

Organizations need to update their security training to address a new reality: attacks can originate from domains you're supposed to trust. The old rules about suspicious URLs don't apply when attackers are renting credibility from legitimate platforms.

This connects to broader concerns about AI security vulnerabilities in enterprise systems. As business platforms become more accessible and automated, the attack surface isn't shrinking — it's shifting to places we didn't think to monitor.

The next 30,000 compromised accounts might come from a platform you've never heard of, hosted on infrastructure you absolutely trust.