{"id":36268,"date":"2026-05-27T12:06:45","date_gmt":"2026-05-27T16:06:45","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=36268"},"modified":"2026-05-28T04:21:48","modified_gmt":"2026-05-27T17:21:48","slug":"appsheet-phishing-emails","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/appsheet-phishing-emails\/36268\/","title":{"rendered":"Attackers disguising phishing as Google AppSheet notifications"},"content":{"rendered":"

Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address?<\/p>\n

Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victims\u2019 accounts and sensitive data.<\/p>\n

In this post, we break down how this new data theft scheme works, and how to protect yourself from these sneaky phishing attacks.<\/p>\n

Google is offering you a job. Or Coca-Cola. Or maybe Volvo. Or are they?<\/h2>\n

AppSheet is a Google service for building apps without any coding skills. It\u2019s frequently used by small businesses to automate routine workflows. Unfortunately, it\u2019s precisely this simplicity that makes AppSheet so attractive to cybercriminals. All it takes to pull off a phishing scam these days are a few dollars<\/a> and an app quickly thrown together using pre-made commands and blocks.<\/p>\n

The playbook for AppSheet phishing attacks is pretty run-of-the-mill. The victim receives an email on behalf of a major company\u00a0\u2014 and these messages often begin by addressing the recipient by name. It appears the attackers are parsing leaked data to match names with specific email addresses.<\/p>\n

Next, the attackers play on the recipient\u2019s emotions \u2014 employing either stick or carrot. They might panic the victim with urgent warnings that demand immediate action\u00a0\u2014 think \u201cYour account will be disabled soon\u201d or \u201cSuspicious activity detected\u201d. Alternatively, they lure them in with irresistible bait, like the promise of a verified badge or an interview invitation from a tech giant. These fake HR emails are engineered to give victims an immediate rush. They make it look like the recipient\u2019s application was already fast-tracked and highly rated, teasing a job offer that could drop as early as tomorrow.<\/p>\n

For most people, these messages don\u2019t raise a single red flag. The email bypasses the spam folder completely, and the From<\/em> field displays the exact name of the company they expect to see. Unfortunately, none of it means the email is authentic: attackers can put whatever they want in the display name. And let\u2019s be honest: very few people actually stop to scrutinize the sender\u2019s email address.<\/p>\n

In AppSheet-based phishing campaigns, the sender is always the same: noreply{@}appsheet.com<\/strong>. But here\u2019s the real kicker: that address is 100% legitimate. Because it\u2019s tied directly to Google\u2019s own infrastructure, there\u2019s a good chance that standard anti-spam filters greenlight these emails without blinking.<\/p>\n

Naturally, to secure that coveted interview or fix their account, the victim clicks the link\u00a0\u2014 and then voluntarily hands over their entire digital identity on a copycat website: full name, address, phone number, etc. From there, the attackers can sell the harvested data on the dark web, or weaponize it for secondary, targeted attacks<\/a>. To top it all off, the victim is redirected to a phishing login page, which allows the attackers to steal their accounts.<\/p>\n

Here\u2019s a step-by-step breakdown of how a victim goes from receiving a fake Google Careers portal email to having their account completely compromised:<\/p>\n

\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tGreetings, Candidate! Why don't you click the link to our fake Google site to schedule an interview? \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl>
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe link in the email leads to a spoofed site with a design indistinguishable from the original. The user is prompted to fill out a form: provide their full name, work email, phone number, and preferred date for interview\u2026 \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl>
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\u2026Once the victim completes the form, they see a prompt asking them to log in with their Google credentials. All of this data goes straight to the attackers.\n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl><\/div>\n

Similar phishing campaigns are launched on behalf of other major tech brands\u00a0\u2014 and the users who hand over their Apple account data risk losing not just their account but also control of all their Apple devices<\/a>. The attackers might pressure the victim into signing out of their personal Apple ID, and in to a \u201ccorporate account\u201d for verification\u00a0\u2014 which is in reality an Apple account they own. The moment the victim does so, the criminals take complete remote control of the used device, often using Lost Mode to lock the victim out and hold their phone to ransom.<\/p>\n

To make matters worse, attackers don\u2019t always drop a malicious link in the initial email. Instead, they play the long game\u00a0\u2014 hooking the target into a conversation by asking them to reply and confirm their interest. This pretexting creates an illusion of chatting with a real recruiter. And this playbook isn\u2019t reserved exclusively for Silicon Valley, either. Attackers frequently impersonate globally recognized household names, like Volvo or Coca-Cola. Of course, it\u2019s highly unlikely that attackers want someone\u2019s Coca-Cola account\u00a0\u2014 if the user even has one to begin with. Most likely, the goal is to steal sensitive data or convince the user to log in to a phishing form using their Google\/Apple\/Facebook, etc. credentials.<\/p>\n

\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAn \"HR team member\" from Coca-Cola reaches out to praise the victim, laying it on thick about their expertise and achievements, analytical thinking, and creativity\u2026 The attackers intentionally keep the endgame under wraps \u2014 whether that means routing the victim to a phishing site, orchestrating a full account takeover, or pulling off a straight-up financial scam \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl>
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tA similar email pretending to be from the Volvo talent acquisition team \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl><\/div>\n

Do you want to become Meta-verified?<\/h2>\n

Of course, \u201cdream jobs\u201d aren\u2019t the only bait used. We\u2019ve seen campaigns where \u201cFacebook Support\u201d reaches out to tell a user they\u2019ve been deemed eligible for the prestigious Meta Verified badge \u2014 a blue checkmark normally reserved for top-tier celebrities and global brands. To secure the coveted blue checkmark, the victim is directed to a phishing page where they\u2019re asked to complete an identity form\u00a0\u2014 before handing over the ultimate prize: their Facebook username and password. And it\u2019s all in the name of security, naturally!<\/p>\n

These spoofed sites are created in a wide variety of languages, and tailored to users in different countries. Below is the Dutch version.<\/p>\n

\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tTo get the blue checkmark, the user is required to provide \"additional information\". Miss the deadline by just a few days and the offer expires \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl>
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAfter the victim fills out the standard fields \u2014 name, phone number, personal and work emails, and birthdate \u2014 a prompt appears asking for their Facebook password \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl><\/div>\n

In other campaigns, attackers abuse Google\u2019s AppSheet to weaponize sheer panic, trying to unsettle the user with claims that they\u2019ve violated Meta\u2019s intellectual property policy \u2014 and threatening to permanently close their Facebook account. To appeal, the victim must click a link to\u2026 a phishing site, provide their personal information, and, of course, enter their Facebook username and password.<\/p>\n

\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFor the sake of plausibility, the user is not only asked to fill out fields with personal information, but also to describe in detail why the decision to close the account was a mistake\n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl>
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\"\"\n\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/dt>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFinally, the user is prompted to confirm their appeal request by signing in to \u201cFacebook\u201d. In reality, the victim is simply handing their credentials over to the attackers \n\t\t\t\t\t\t\t\t<\/dd>\n\t\t\t\t\t\t\t<\/dl><\/div>\n

How to spot phishing and protect your accounts<\/h2>\n

Sadly, phishing attacks are becoming increasingly sophisticated, with attackers routinely hijacking the reputation of legitimate services and domains<\/a>. Here\u2019s how to keep from falling into their traps, and safeguard your data:<\/p>\n