top of page
Search

The Scammers Have Leveled Up: Phishing via Real AppSheet Automations

  • Writer: Matt
    Matt
  • 2 days ago
  • 2 min read

Earlier this year, I wrote about scammers spoofing AppSheet emails. Back then, it was sloppy — they pretended their Meta/Facebook notices were “from AppSheet,” but the messages didn’t actually come from Google’s infrastructure. Just cheap spoofs.


Well… the scammers have leveled up their game.


What’s New

Security researchers have confirmed that attackers are now abusing real AppSheet apps to send phishing emails. That means these messages really do come from noReply@appsheet.com, passing SPF, DKIM, and DMARC authentication. In other words, all the technical checks say “this is a trusted Google service.”


ree

How?

  • They created an AppSheet app to send out these emails!

  • In their app, they have an automation that sends out an email

  • In the setup, they were able to customize the "From" name via the setting in the automation task


ree

When an AppSheet automation sends an email, the From field is locked to noReply@appsheet.com, but you can control the masking.



Attackers simply embed their phishing URLs into the message body or templates. Since the email is sent by Google’s own servers, security gateways see nothing suspicious.



Why This Matters

This is a step up from garden-variety spoofing. Instead of pretending to be AppSheet, scammers are piggybacking on AppSheet’s trusted infrastructure. That makes their emails much harder to detect and block. Traditional defenses like SPF/DKIM/DMARC are useless here.


The messages are authentic, technically speaking. The danger comes from what’s inside the emails: links to credential-harvesting sites.

What We Should Do

  • Scrutinize the content, not just the sender. If you get an AppSheet-branded email about trademark violations, legal threats, or Meta account deletions… 🚨 red flag. That’s not what AppSheet is used for.

  • Hover before you click. If the link uses suspicious shorteners (like goo.su) or redirects to anything outside Google/AppSheet, don’t touch it.

  • Trust sources, not just domains. A real AppSheet notification should tie back to an app you know and use — not some random “compliance” message.



Final Thoughts

Scammers will keep finding creative ways to weaponize trusted platforms. This latest campaign shows how even legitimate no-code tools like AppSheet can be turned into phishing vectors.


The rule of thumb hasn’t changed: trust the sender, but verify the content.


Stay safe, and happy apping.


Sources:

 
 
 
bottom of page