New Phishing Attack Mimics Google AppSheet to Steal Login Credentials

A sophisticated phishing campaign has emerged targeting Google Workspace organizations through fraudulent emails impersonating Google’s AppSheet platform.

The attack demonstrates how cybercriminals exploit legitimate cloud services to bypass traditional email security measures and steal user credentials.

Discovered in September 2025, this campaign represents a significant escalation in social engineering tactics, leveraging the inherent trust organizations place in Google’s no-code application development platform.

The malicious campaign capitalizes on AppSheet’s widespread enterprise adoption and deep integration with Google Workspace infrastructure.

By masquerading as legitimate AppSheet communications, attackers successfully circumvent email authentication protocols while delivering convincing trademark violation notices to unsuspecting recipients.

The attack’s effectiveness stems from its abuse of authentic Google infrastructure, making detection extraordinarily challenging for conventional security systems.

This phishing operation follows a pattern of legitimate service abuse that security researchers have tracked since March 2025, when similar campaigns exploited AppSheet to impersonate Meta and PayPal services.

Raven analysts identified the current trademark violation campaign as an evolution of these earlier tactics, noting how attackers have refined their approach to maximize credential harvesting success rates while maintaining operational security.

The campaign’s most concerning aspect lies in its technical sophistication and authentication bypass capabilities.

Unlike traditional phishing attacks that rely on compromised or spoofed domains, this operation leverages Google’s legitimate email infrastructure to deliver malicious content.

Messages originate from [email protected], ensuring perfect SPF, DKIM, and DMARC authentication while maintaining excellent sender reputation scores.

Technical Infrastructure and Delivery Mechanism

The attack methodology exploits AppSheet’s legitimate email functionality through multiple potential vectors.

Attackers either compromise existing user accounts on the platform or abuse the service’s notification systems to craft messages that appear authentically generated by Google’s infrastructure.

The phishing emails contain professionally formatted content mimicking trademark enforcement notices, complete with urgent legal compliance requirements designed to prompt immediate user action.

Critical to the campaign’s success is its use of suspicious URL shorteners, particularly goo.su domains, which redirect victims to credential harvesting sites.

These shortened links are embedded within otherwise legitimate-appearing legal notifications, creating a compelling pretext for user interaction.

The attackers strategically host their phishing infrastructure on reputable platforms like Vercel, further enhancing the operation’s credibility and evasion capabilities.

Detection proves challenging because the emails pass all traditional authentication checks while appearing contextually appropriate to recipients familiar with routine AppSheet communications.

This combination of technical legitimacy and social engineering sophistication highlights the urgent need for context-aware email security solutions that analyze sender-content relationships rather than relying solely on authentication protocols.

The campaign underscores how legitimate cloud services can become weaponized attack vectors, forcing organizations to reconsider fundamental assumptions about trusted communications in enterprise environments.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.