App Sheetcom Abused To Send Phish
Query
// AppSheet.com abused to send Phish
// https://blog.knowbe4.com/impersonating-meta-powered-by-appsheet-a-rising-phishing-campaign-exploits-trusted-platforms-to-evade-detection
let MonitorKeywords = dynamic(["intellectual property", "campaign", "infringement", "disabled"]);
EmailEvents
| where TimeGenerated > ago(90d)
| where EmailDirection == "Inbound"
| where DeliveryAction != "Blocked"
| where SenderFromAddress == "[email protected]"
| where SenderDisplayName has "facebook" or SenderDisplayName has "meta"
| where Subject has_any(MonitorKeywords)Explanation
This query is designed to monitor and identify potential phishing emails that are sent using the AppSheet platform, specifically those impersonating Facebook or Meta. Here's a simplified breakdown of what the query does:
-
MonitorKeywords: A list of keywords is defined, which includes "intellectual property," "campaign," "infringement," and "disabled." These are terms that might be used in phishing emails.
-
EmailEvents: The query searches through email events data.
-
Time Frame: It looks at emails received in the last 90 days.
-
Email Direction: It focuses on inbound emails, meaning emails coming into the organization.
-
Delivery Action: It excludes emails that have been blocked, focusing on those that were delivered.
-
Sender Address: It specifically looks for emails sent from "[email protected]."
-
Sender Display Name: It checks if the display name of the sender includes "facebook" or "meta," which are indicators of impersonation.
-
Subject Keywords: Finally, it filters emails whose subject lines contain any of the specified keywords.
Overall, this query is used to detect phishing attempts that exploit trusted platforms like AppSheet to impersonate well-known companies such as Facebook or Meta, by analyzing specific patterns in email metadata and content.
Details

Steven Lim
Released: May 28, 2025
Tables
Keywords
Operators