IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Phishing
#
Email Security
#
AI

Phishing attacks exploit AppSheet to mimic Meta & evade defences

Today
Author image
By Melvin Hipolito, Editor

KnowBe4 Threat Labs is monitoring a growing phishing campaign that exploits Google's AppSheet platform to impersonate Meta and bypass conventional email security measures.

Since March 2025, KnowBe4 Threat Labs has recorded a marked increase in attacks using AppSheet as a conduit for phishing campaigns. Data collected by the organisation indicates that on April 20, 10.88% of all global phishing emails blocked by KnowBe4 Defend were sent via AppSheet, with 98% of those attempts impersonating Meta. The remaining 2% targeted users by mimicking PayPal.

The current wave of phishing leverages trusted platforms to avoid standard security protocols. AppSheet, a platform owned by Google, is being manipulated to distribute phishing emails at scale, utilising the legitimate domain noreply@appsheet.com as the sender. This tactic allows emails to evade Microsoft and Secure Email Gateway (SEG) detection that typically rely on domain reputation and authentication checks such as SPF, DKIM and DMARC.

Attackers send phishing emails purporting to originate from the "Facebook Support Team", complete with copied Meta branding and non-functional footer links. The emails employ urgent language and social engineering tactics, including warnings of imminent account deletion and a 24-hour deadline to respond. Such emotionally charged messaging seeks to drive recipients to click on a prominent "Submit an Appeal" button, which leads to a credential harvesting site.

"The phishing email mimics Meta's branding, including a convincing email signature, to appear authentic—despite all footer links being non-functional," KnowBe4's analysis states. "In addition, the campaign relies heavily on social engineering tactics to trick recipients into clicking a malicious link, presented as a 'Submit an Appeal' button."

Each phishing message incorporates unique 'Case IDs' generated by AppSheet, making use of polymorphic identifiers to vary individual messages. This complicates detection and filtering as the emails lack consistent, static indicators that traditional security systems rely upon.

Should a recipient click the embedded link, they are directed to a phishing site hosted on the Vercel platform. This site is crafted to mirror Meta's interface, displaying an animated logo and a replica design to increase perceived authenticity. The page notifies users of an alleged account risk and offers a single opportunity to appeal the impending deletion.

The phishing website deploys several advanced strategies to maximise success. One method involves prompting users to enter their credentials and two-factor authentication (2FA) codes twice, claiming the initial entry was incorrect. This approach increases the probability of obtaining valid information and introduces confusion and urgency, making it more difficult for users to assess the legitimacy of the site.

"One such method is the double prompt for credentials. After the user enters their password and 2FA code, the site falsely claims that the first attempt was incorrect, prompting the user to try again. This serves multiple purposes: it increases the likelihood of capturing accurate information by encouraging users to re-enter data they believe was mistyped; it introduces confusion and urgency, reducing the victim's ability to think critically; and it provides data redundancy, allowing the attacker to compare entries and confirm the validity of the credentials before using them," states the KnowBe4 team.

The phishing site appears to function as a man-in-the-middle proxy. When users submit their login data and 2FA codes, the site relays this information in real time to the legitimate service to obtain a valid session token, thus gaining immediate access to the account. "In addition, the phishing site appears to operate as a man-in-the-middle proxy. When the user submits their login information and 2FA code, the site immediately relays this data to the legitimate service—such as Facebook—in real time. This enables the attacker to hijack the session and obtain a valid session token, effectively bypassing two-factor authentication and granting them immediate access to the user's account," the report highlights.

The exploitation of AppSheet for these attacks is part of a wider pattern observed by KnowBe4 Threat Labs, where legitimate services are increasingly used to circumvent traditional email defences. The team has identified similar campaigns making use of platforms operated by Microsoft, Google, QuickBooks, and Telegram. This approach, combined with realistic impersonation, sophisticated proxy techniques, and social engineering, allows such phishing campaigns to bypass detection in environments secured by products such as Microsoft 365 and SEGs.

Ashley Stephens, Account Manager at Hotwire Australia, commented, "This campaign shows how threat actors continue to evolve their tactics, using trusted services and social engineering to bypass traditional controls. Organisations need to think beyond technical defenses and prioritise human risk management supported by AI-driven detection."

KnowBe4 notes that an increasing number of organisations are deploying Integrated Cloud Email Security products that use artificial intelligence to identify advanced phishing attempts and prevent users from engaging with malicious content. The report also points to the importance of ongoing security awareness training that converts real phishing incidents into training scenarios as a means of equipping employees to recognise similar attacks in future.

KnowBe4 Threat Labs continues to monitor phishing campaigns and urges organisations to consider a layered defence approach that includes technical controls, user education, and AI-enabled monitoring to mitigate shifting cyber threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Charter Global unveils Assistly for small senior care homes
Pure Global appoints AI expert to cut MedTech costs
Ultra Violette proves tech transformation is a team sport
Seagate unveils growth strategy, boosts share repurchases to USD $5bn
Looking ahead: The future of AI-driven workflows
Top stories
LG offers affordable Apple TV+ monthly rate on smart TVs
Does anyone know what a CDP is anymore?
Seagate raises share buyback to USD $5 billion, sets 2028 goals
Wellington researchers pioneer low-cost earthquake alert system
SYOS Aerospace celebrates top honour at 2025 NZ Hi-Tech Awards