What's happening in email security: April 27-May 3, 2026

30,000 Facebook accounts compromised via Google AppSheet phishing relay

The AccountDumpling group, attributed to a Vietnamese individual selling digital marketing services, used Google AppSheet as the sending platform for emails impersonating Meta Support. Around 30,000 Facebook Business accounts were compromised across the U.S., UK, Canada, India, the Philippines, Australia, Brazil, and several other countries. Stolen accounts were resold through an underground marketplace the same group operates.

The technique is what makes this notable. AppSheet is Google's no-code app builder, and it lets users trigger emails from automation workflows. Those emails ship from `noreply@appsheet.com` over Google's mail infrastructure, which means they pass SPF and DKIM cleanly and align under DMARC. From the receiving side, the emails are not spoofed. They are real Google-originated mail.

That's the pivot point. Most email security stacks treat verified Google senders as trusted by default, and reputation-based filtering gives well-known relay domains the benefit of the doubt. AccountDumpling weaponized that posture, building automation flows in AppSheet that generated personalized "your Facebook Business account will be permanently deleted" emails and shipped them at scale.

Once a target clicked, the rest of the campaign rode on legitimate infrastructure too. The fake Facebook Help Centers were hosted on Netlify. Verification pages sat on Vercel. PDF lures pointing to credential capture pages were served from Google Drive. Every stage of the chain used a host that defenders allow-list because real users rely on the same services.

Google has not detailed what platform-level mitigations are in place to detect impersonation patterns inside AppSheet automation flows. Microsoft's Q1 numbers (below) suggest this category of trusted-relay abuse is now routine across vendor platforms rather than a one-off.

PayPal subject lines weaponized to deliver tech support scams

The cleanest example this week of email authentication being structurally bypassed. The emails come from `service@paypal.com`. They are signed by PayPal. They pass SPF, DKIM, and DMARC because they are genuine PayPal payment notifications.

The subject line is where the attack lives. It reads "Pending charge of USD 987.90" alongside a fake support phone number, while the body shows a real but tiny charge of around $0.0063 (¥1 JPY). Researchers believe scammers abused PayPal's payout note or remittance field to inject text that PayPal's templating system then pulled into the subject line. By the time the email left PayPal's mail servers, the malicious subject was already part of the signed message. Victims who call the number get walked through banking credential theft and remote access tool installation. Authentication is irrelevant here. The sender is real. The fix is at PayPal's input validation layer, not at the receiving mail server.

Silver Fox tax-themed phishing smuggles links inside PDFs to evade gateway scanning

Silver Fox impersonated tax authorities in campaigns hitting more than 1,600 organizations across Russia, India, Indonesia, South Africa, and Cambodia. Indian targets received PDFs with embedded download links. Russian targets received "tax violation list" lures.

The mechanic is link smuggling. Most email security gateways scan attachments for malware and inspect URLs in the email body, but link extraction inside PDFs is uneven across vendors. Burying the malicious link a layer deeper inside an attachment puts it past gateways that only check the obvious surfaces. The chain ran RustSL Loader into ValleyRAT into ABCDoor, a new Python backdoor with screen broadcasting and remote control capability that mimics Tailscale's directory layout for stealth. IP geofencing screened out sandboxes before payload execution.