Kaspersky has discovered a wave of phishing attacks leveraging Google’s AppSheet no-code platform. Attackers are abusing the service to distribute convincing phishing emails that may bypass many traditional security filters, following a pattern of campaigns leveraging trusted cloud tools against users. Previously Kaspersky has described similar attacks with Google services.
With AppSheet, attackers send emails from the legitimate sender address noreply@appsheet.com, while using spoofed display names such as “GG Recruiting Team.” The emails impersonate communication from large brands like Google, Meta, Apple, Coca-Cola, and Volvo. Some emails mimic messages from recruitment teams – recipients are invited to “Schedule Your Appointment” to discuss potential career opportunities.
Clicking the link directs users to a counterfeit site that first collects contact details and preferred meeting times before redirecting to a credential-harvesting page requesting a login and password for their Google or Facebook account. In other cases, the attackers do not insert the phishing link in the message, prompting the victim to engage in communication, presumably to get the credentials later.
Threat actors can also pull target email lists from external databases they control. Because the emails originate from Google’s infrastructure, they frequently pass SPF, DKIM, and DMARC checks, significantly increasing the likelihood of message delivery. AppSheet’s automation capabilities enable attackers to send not only emails but also text (SMS) messages. Access to these capabilities requires only a paid AppSheet subscription.
“Legitimate productivity services can often become tools in an attacker’s arsenal. Kaspersky has previously tracked several campaigns where attackers exploited Google Forms and Google Tasks for redirection to fraudulent pages, and now we see AppSheet used for phishing distribution. When trusted platforms are abused, detection becomes harder. Individual and corporate users should scrutinize communication they receive, even if it comes from trusted domains,” commented Anna Lazaricheva, senior spam analyst at Kaspersky.
Kaspersky recommends that individual users verify unexpected recruitment outreach directly through official company channels, avoid clicking unsolicited links, and use Kaspersky Premium with AI-powered anti-phishing protection. Organizations can use proven security solutions like Kaspersky Secure Mail Gateway that block threats of this kind.
