Facebook users are targeted by a scam using a Google domain
Cybercriminals used Google AppSheet to send phishing emails from “[email protected]” to bypass email protection, targeting Facebook accounts according to Techradar.
Cybersecurity researchers KnowBe4 discovered the attacks, which exploit a legitimate Google service to deliver emails straight to inboxes, mimicking Facebook to trick people into giving away login credentials and 2FA codes.
The emails, sent in bulk, bypassed Microsoft and Secure Email Gateways (SEGs) that rely on domain reputation and authentication checks (SPF, DKIM, DMARC), with each email being slightly different due to AppSheets’ unique ID generation.
The phishing emails claim the recipient infringed on someone’s intellectual property and their account will be deleted within 24 hours unless they submit an appeal through a provided button, leading to a landing page impersonating Facebook hosted on Vercel.
Victims are prompted to provide login credentials and 2FA codes, which are relayed to the attackers, with the first login attempt returning a “wrong password” result to confirm submission, and the provided 2FA codes being submitted to Facebook to obtain a session token for persistence.
Cybersecurity platform Keeper offers features like two-factor authentication, dark web monitoring, and breach alerts to protect against such threats, using zero-knowledge encryption to securely store and manage passwords and sensitive files.