Hackers Impersonate Google AppSheet in Latest Phishing Campaign

The cybersecurity landscape has witnessed a novel phishing campaign that weaponizes Google’s no-code platform, AppSheet, to harvest user credentials.

By abusing AppSheet’s trusted email infrastructure, attackers are bypassing traditional security controls and delivering malicious content from legitimate domains.

This development underscores the urgent need for context-aware detection systems that analyze message intent, not just sender authenticity.

AppSheet, acquired by Google in 2020, empowers users to build mobile and web applications from data sources such as Google Sheets, Excel files, and cloud databases.

Integrated tightly with Google Workspace, it sends automated emails for application notifications, data sync confirmations, user access requests, system status alerts, and workflow updates.

Organizations worldwide regard “appsheet.com” communications as inherently trustworthy, associating them with Google’s rigorous security standards. Millions of businesses leverage AppSheet to streamline processes without writing code, resulting in corporate environments where AppSheet messages are ubiquitous and seldom questioned.

The Phishing Campaign

A recent wave of phishing emails leveraged AppSheet legitimate mail servers and authentication protocols to evade detection.

A recent phishing campaign targeting Google Workspace Centric organizations through AppSheet-branded emails perfectly illustrates how traditional security controls become useless when attackers abuse legitimate infrastructure.

The call-to-action used a look-alike Google URL shortener, guiding victims to credential-harvesting pages.

Attackers employed three primary abuse scenarios:

1. Account Compromise
   By hijacking genuine AppSheet accounts, attackers embed malicious links into authentic templates.
2. Feature Abuse
   Adversaries create new AppSheet accounts and misuse notification systems or form builders to distribute phishing messages.
3. Template Injection
   Malicious actors inject rogue URLs into user-generated templates, then leverage AppSheet’s infrastructure to send phishing emails at scale.

This campaign builds on a trend first observed in March 2025, when AppSheet-based phishing peaked on April 20th, accounting for 10.88% of global phishing email volume. Nearly all impersonated Meta, with a small fraction targeting PayPal.

That earlier effort used polymorphic identifiers and reputable hosting platforms like Vercel to evade detection, illustrating the scalability and stealth of AppSheet-powered attacks.

How Raven AI Caught the Attack

Traditional email defenses—focused on domain reputation and authentication checks—proved ineffective against this campaign. However, Raven’s AI-powered, context-aware engine identified anomalies in message content and intent.

Its analysis extended beyond verifying sender legitimacy to evaluating whether the email’s subject, body content, and call-to-action aligned with genuine AppSheet use cases.

Key detection indicators included:

• Contextual Incongruity: Raven recognized that AppSheet would not issue trademark enforcement or legal compliance notices in this format.
• Suspicious URL Shortener: The use of “goo.su” deviated from AppSheet’s typical communication patterns.
• Content-Subject Mismatch: The subject line referenced unauthorized data collection, whereas AppSheet notifications rarely address legal compliance directly.
• Behavioral Patterns: Raven correlated this campaign with prior AppSheet abuses, detecting subtle changes in messaging across polymorphic templates.

Upon flagging suspicious messages, Raven advised administrators to verify links and contact AppSheet or Google Cloud legal teams before taking action, effectively preventing credential compromise.

The AppSheet phishing campaign demonstrates a fundamental flaw in relying solely on authentication-based defenses.

Attackers are increasingly abusing legitimate platforms to deliver malicious content that sails past SPF, DKIM, and DMARC checks. Security teams must shift from binary “trusted versus untrusted” models to behavioral and contextual trust frameworks.

Future email security should incorporate:

• Dynamic analysis of content appropriateness against service usage norms.
• Machine learning models trained on communication patterns for specific platforms.
• Real-time correlation of message metadata with historical activity to detect anomalies.

As adversaries exploit the infrastructure of widely adopted services like AppSheet, organizations cannot afford to trust sender reputation alone. Only by embracing context-driven, behavior-oriented detection can enterprises defend against the next generation of sophisticated phishing threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.