Trusted Cloud Services Used in Large-Scale Facebook and Microsoft Phishing Campaigns
Researchers reported two large phishing operations that abused trusted platforms to improve delivery and evade defenses. Guardio said the AccountDumpling campaign used Google AppSheet to send emails from legitimate Google infrastructure while impersonating Meta Support and recruiters, luring Facebook Business users with fake account disablement notices, copyright complaints, and job offers. The operation compromised about 30,000 Facebook accounts across roughly 50 countries, stealing credentials, 2FA codes, personal data, and government ID images; the stolen information was often funneled through Telegram channels, and the hijacked accounts were later sold or monetized through fraudulent advertising and scams. Evidence in generated PDF metadata linked the activity to Vietnam-based operators, including an individual identified as PHẠM TÀI TÂN.
Microsoft separately disclosed an adversary-in-the-middle phishing campaign that used fake workplace compliance notices to target more than 35,000 users at 13,000 organizations in 26 countries, with most activity concentrated in the United States. Attackers posed as internal HR and compliance teams, sent urgent messages with attached PDFs, and pushed victims through redirects, CAPTCHA checks, and a counterfeit Microsoft sign-in page designed to steal session tokens rather than just passwords, allowing account access without the victim's second factor. The incidents show how attackers are increasingly relying on legitimate cloud services and convincing enterprise-themed lures to bypass spam controls, defeat traditional authentication protections, and accelerate account takeover at scale.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses findings on AiTM compliance-notice campaign
Microsoft Defender Research publicly detailed the April phishing campaign, explaining its use of PDFs, redirects, CAPTCHA checks, and fake Microsoft sign-in pages to capture session tokens and bypass passwords and second-factor prompts. Microsoft also issued mitigations including phishing-resistant MFA, Defender for Office 365 protections, and user awareness measures.
Guardio links AccountDumpling to Vietnamese operators
Guardio reported evidence tying the AccountDumpling operation to Vietnamese threat actors, including metadata from generated PDFs and infrastructure associated with an individual named PHẠM TÀI TÂN. The reporting also described exfiltration via Telegram channels and the resale of hijacked Facebook accounts on illicit marketplaces.
AccountDumpling phishing campaign compromises Facebook accounts
An ongoing phishing operation dubbed AccountDumpling targeted Facebook Business and advertiser account owners by impersonating Meta support and recruiters, abusing trusted services including Google AppSheet to deliver lures and harvest credentials. The campaign reportedly compromised about 30,000 Facebook accounts across roughly 50 countries, with stolen data and access monetized through scams, ad abuse, and illicit account sales.
Fake compliance notice phishing campaign runs in waves
A separate adversary-in-the-middle phishing campaign operated from April 14 to April 16, 2026, using fake workplace compliance and HR notices to steal Microsoft account session tokens. It targeted more than 35,000 users across 13,000 organizations in 26 countries, primarily in the United States.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Google AppSheet Abuse Helped Phish 30,000 Facebook Accounts
techrepublic.com
Open sourceMicrosoft: Phishing campaign used fake compliance notices to compromise employee accounts - Help Net Security
helpnetsecurity.com
Open sourceVietnamese operation uses Google AppSheet for Facebook phishing, targets 30,000 accounts | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Abuse Trusted Cloud and Ad Platforms for Multi-Stage Phishing and Scam Delivery
Threat actors are increasingly using **trusted platforms**—including cloud hosting and major ad networks—to deliver multi-stage phishing and scam campaigns that evade traditional URL and domain reputation controls. Recent activity includes a **three-step malvertising chain** delivered via **Facebook paid ads** that redirects victims through a decoy site (e.g., a fake Italian restaurant page) before landing on a **tech support scam (TSS) kit** hosted on **Microsoft Azure** infrastructure (including `web.core.windows.net`). Researchers reported rapid infrastructure churn, with **100+ domains rotated in seven days**, and targeting focused on **U.S. users** with activity concentrated on weekdays. Parallel enterprise-focused campaigns are hosting phishing infrastructure on **Microsoft Azure Blob Storage**, **Google Firebase**, and **AWS CloudFront**, using **redirect chains, CAPTCHA gates, and QR codes** to bypass automated analysis and email defenses. Analysis highlighted the use of **Adversary-in-the-Middle (AiTM)** phishing-as-a-service kits—**Tycoon2FA**, **Sneaky2FA**, and **EvilProxy**—to steal credentials and **session tokens** even when MFA is enabled. Separately, researchers documented a “clean email” approach to steal **Dropbox** credentials: benign-looking procurement-themed emails deliver **PDF attachments** that hide clickable elements (e.g., via *AcroForms* and `FlateDecode`), which then route victims to a second-stage file hosted on **Vercel Blob** and ultimately to a fake Dropbox login page that captures credentials and collects victim telemetry (IP address, location, and device details).
Mar 21, 2026
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
Mar 21, 2026
Phishing Campaigns Exploiting Email Trust Mechanisms for Credential Theft
Attackers have launched multiple sophisticated phishing campaigns targeting business users by exploiting trusted email mechanisms and brand impersonation. One campaign abused the legitimate `@facebookmail.com` domain and Meta Business Suite’s invitation feature to send convincing phishing emails to Facebook Business users, primarily targeting companies in sectors like automotive, education, real estate, hospitality, and finance. These emails, which appeared authentic due to their origin from Meta’s infrastructure, redirected victims to credential harvesting sites, with some organizations receiving thousands of such messages. The attackers created fake business pages and mimicked official branding to increase the likelihood of success, as confirmed by security researchers who reproduced the attack method. Other campaigns have leveraged HTML attachments and spoofed internal notifications to bypass traditional email security. In Central and Eastern Europe, phishing emails with malicious HTML attachments embedded JavaScript to steal credentials, impersonating brands like Adobe and Microsoft and transmitting stolen data to attacker-controlled Telegram bots. Another campaign disguised phishing emails as spam filter alerts from within the victim’s own organization, using obfuscated code and personalized fake login screens to harvest credentials via websockets. These evolving tactics highlight the increasing sophistication of phishing operations and the need for organizations to monitor for unusual connections, inspect email content, and educate users about the risks of unsolicited attachments and internal-looking notifications.
Mar 21, 2026