30,000 Facebook accounts have been compromised by phishing emails Google itself delivers. Authenticated, signed, and never blocked. We call this ”AccountDumpling”: a Vietnamese-linked operation that turns Google AppSheet into a phishing relay, then sells the stolen accounts back through a storefront run by the same hands. Pulling on that thread led us through Netlify-hosted Facebook clones, Vercel-hosted reward traps, Google Drive-hosted PDFs, and recruiter-style social engineering, all riding the same Google-authenticated relay and feeding the same Telegram bot infrastructure. We mapped roughly 30,000 victims and traced the operation back to a Vietnamese name embedded in a Canva-generated PDF the attackers forgot to scrub. We also recovered enough victim data to reach out directly to many of them, telling them they had been compromised and helping them act before more damage was done. What we found wasn't a single phishing kit. It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back. In the last month, many Facebook Business account owners woke up to an email like this sent from Google: Your email client shows the usual trust indicators. Nothing is flagged. SPF, DKIM, DMARC all good! This email actually came from Google! It's safe!? Well, not even close... Email phishing used to rely on spoofing, shady SMTP infrastructure, and just enough broken authentication to slip through the cracks. This case starts from the opposite premise: the email is real, the authentication is clean, and the delivery comes through Google’s own AppSheet, the no-code app builder's notification system. Over the past few weeks, we tracked waves of emails aimed at Facebook users, page admins, and operators, almost all wrapped in some version of a Meta-related panic. Account disabled. Copyright complaint. Page locked. Blue badge review. Executive recruitment. Different lures, different post-click paths, same destination: people controlling accounts with real financial value. What stood out first was not just the volume, but the trust inversion. These messages were sent fromnoreply@appsheet.comand delivered throughappsheet.bounces.google.com. In practical terms, SPF, DKIM, and DMARC all aligned exactly the way defenders expect - in this case, can you imagine Google blocking an email that a Google system sent? A green result, as usual, proved only that the sending platform was legitimate, not that the message itself was. Attackers have noticed this too. They always do. AppSheet itself is a legitimate Google no-code platform designed to automate workflows and notifications, typically used to send app-driven alerts and internal updates. In this case, attackers abused AppSheet’s notification mechanism to deliver convincing phishing emails impersonating popular brands at scale. There was no need for spoofing, no reliance on compromised Google accounts, just a service doing exactly what it was built to do. What initially appeared to be a narrow phishing attempt quickly expanded into something much broader. Following this thread did not lead to a single phishing kit or an isolated actor experimenting with a no-code tool, but to a multi-actor, Vietnamese-linked Facebook account hijacking ecosystem spanning Netlify, Vercel, Google Drive, Telegram, and a set of monetization endpoints that look less like a campaign and more like a business. A grim one, but a business all the same. Starting with an examination of the different AppSheet-originated emails by their call-to-action (CTA) targets, four distinct clusters emerged. The narratives shifted, the infrastructure varied, and the evasion techniques evolved, but the target remained consistent: Facebook accounts with real-world value. Are those different attackers with the same tricks? Or just a single attacker doing some dark side of risk management? Cluster A was the blunt instrument of the operation: fake Facebook Help Center and account-disablement notices hosted on Netlify. Victims received alarming AppSheet emails about DMCA violations, trademark issues, or permanent disablement, then landed on Facebook-themed appeal pages designed to collect everything needed for account takeover. These pages did not stop at usernames and passwords. They requested date of birth, phone number, and government-issued ID photos — effectively collecting the full recovery package needed to bypass platform safeguards. This wasn’t just credential theft. It was identity capture. What made Cluster A especially effective was not just the page design, but the way it was deployed. In many waves, each victim was sent to a unique Netlify subdomain, neatly sidestepping URL blocklists by ensuring there was rarely a shared link worth blocking for long. By the time a URL could be reported or flagged, its job was already done. In later waves, traces of the build process remained. HTTrack, an open-s...