AccountDumpling: Google AppSheet Phishing Bypasses DMARC — A SAMA Email Risk

A newly disclosed phishing operation tracked as AccountDumpling has compromised roughly 30,000 Facebook business accounts across 50 countries by abusing Google AppSheet as a fully authenticated phishing relay. The technique is alarming for one reason: every email passes SPF, DKIM and DMARC because it really does originate from Google's automated workflow infrastructure. For SAMA-regulated banks, the campaign is a precise case study of how SaaS-native phishing defeats the email controls many institutions still treat as "done."

How the AccountDumpling Campaign Works

Researchers at Guardio attributed the operation to a Vietnamese-linked threat cluster that misuses Google AppSheet — Google's no-code workflow platform — to send phishing notifications from noreply@appsheet.com. The lures impersonate Meta Support, urging Facebook business owners to file an "account appeal" before deletion. Because the messages leave Google's environment with valid SPF, DKIM and DMARC alignment, they sail past gateway authentication checks. Victims are redirected to credential-harvesting sites hosted on Netlify and Vercel, with stolen accounts, session cookies and 2FA codes funneled to operator-controlled Telegram bots and resold through an underground storefront.

Why "Trusted Cloud" Is the Real Attack Surface

The AccountDumpling pattern is not unique to AppSheet. Over the past 18 months attackers have abused Google Apps Script, Microsoft Forms, Notion, Atlassian, Mailchimp and Cloudflare Workers to launder phishing through reputable infrastructure. Three properties make these abuses dangerous: the sender domain is genuinely trusted, the message authenticates cleanly, and security awareness training rarely teaches users to question messages from noreply@ addresses they recognize. For Saudi banks running Microsoft 365 or Google Workspace, the same legitimate SaaS that hosts internal collaboration is also the vehicle adversaries are using to bypass perimeter email defenses.

Impact on SAMA-Regulated Saudi Financial Institutions

SAMA's Cyber Security Framework and the CSCC explicitly require email security controls, anti-phishing programs and brand impersonation defenses. NCA ECC-2:2024 controls 2-5 (Cybersecurity Awareness and Training) and 2-15 (Web Application Security) reinforce the requirement, and PDPL adds personal-data accountability when customer credentials are harvested through impersonation. A campaign like AccountDumpling targeting Saudi corporate Facebook, LinkedIn or Instagram pages — common for banks running large social customer-service operations — directly threatens customer trust, regulatory disclosure obligations and brand integrity. Regulators are increasingly asking not only "did you have DMARC?" but "did your SOC detect SaaS-relayed phishing that passed DMARC?"

Recommended Actions for SOC and Email Security Teams

1. Tune email gateways to inspect SaaS relay domains. Add risk scoring or quarantine rules for messages from noreply@appsheet.com, Apps Script senders, Microsoft Forms relays and similar workflow services that you do not legitimately receive from in production traffic.
2. Move beyond SPF/DKIM/DMARC. Layer behavioral email security (NLP, intent analysis, brand-impersonation detection) and link-time URL rewriting that re-evaluates destinations at click time, not just at delivery.
3. Enforce phishing-resistant MFA for Facebook Business, LinkedIn and other social-customer-care accounts. FIDO2 hardware keys or platform passkeys defeat the session-cookie theft model AccountDumpling relies on.
4. Monitor for brand abuse. Use dark-web and Telegram monitoring to detect resale of compromised corporate social media accounts. Align this feed with your SAMA CSCC threat intelligence requirements.
5. Update awareness training. Add a module on SaaS-relayed phishing, showing real examples of legitimate senders being abused. Train social media admins specifically on Meta and LinkedIn impersonation lures.
6. Hunt retroactively. Search Microsoft 365 or Google Workspace logs for the past 90 days for emails from appsheet.com, script.googleusercontent.com and similar relays. Investigate any clicks from privileged or social-team users.

The Strategic Lesson for Saudi CISOs

Email authentication was the right answer for the spoofing problem of 2018. AccountDumpling shows that the 2026 problem is different: the sender is real, the email is authenticated, and the abuse happens inside trusted SaaS. Banks that have not revisited their email security architecture since rolling out DMARC enforcement are operating with a control set designed for a previous threat model. SAMA's continuous-improvement expectation — written into both the Cyber Security Framework and CSCC — leaves no room for that gap.

Conclusion

AccountDumpling is small in scale by ransomware standards, but its technique is the template for the next wave of brand-abuse and credential phishing in the Gulf. For SAMA-regulated banks, the question is no longer whether DMARC is enforced — it is whether the SOC can detect a phishing email that passes every authentication check and originates from Google's own infrastructure.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes an email security architecture review against CSCC and NCA ECC controls.