Vietnamese fraudsters used Google's no-code app platform to send Facebook phishing emails that passed every spam check, then sold the stolen accounts back to victims

Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.

Check

Brief every staff member who manages a Facebook business account that any email from 'noreply@appsheet.com' claiming to be Meta is hostile, regardless of how legitimate the formatting looks.

Affected

Facebook Business account owners worldwide, with 68.6% of victims based in the US. Acute risk for marketing teams, social media managers, and small business owners who manage Facebook ad accounts. Any organization using the same Facebook business account for paid ads since 2024 is in the broader target pool. Stolen accounts often hold credit card data and ad spend history.

Fix

Block emails from noreply@appsheet.com unless your organization legitimately uses Google AppSheet. Train staff that real Meta support never asks for 2FA codes via email. Enable Meta Business Manager 2FA with hardware keys (not SMS). For organizations already compromised, contact Meta Business Help directly through facebook.com - the 'recovery service' is the same operation that took the account.