A phishing campaign is exploiting Google’s AppSheet platform to trick Workspace users with fake trademark notices. The scam leverages the trust of a legitimate Google service to bypass email filters and land in corporate inboxes.
How the Scam Works
Researchers at Raven AI discovered that attackers are sending phishing emails disguised as official AppSheet notifications. The messages claim to inform recipients of trademark violations and instruct them to follow a link to resolve the issue.
Notification / Message (Source: Raven AI)
Because the emails originate from AppSheet — a legitimate Google service — they easily pass through spam filters. Once victims click the embedded link, they are redirected to attacker-controlled pages designed to steal credentials.
Why AppSheet Is Effective for Phishing
AppSheet is a no-code platform within Google Workspace that allows users to build apps without writing code. Corporate users often receive AppSheet-related emails for app permissions, notifications, and updates.
(Source: Raven AI)
By exploiting this familiarity, attackers ensure their phishing lures appear credible. Since AppSheet emails are almost always whitelisted by organizations, the campaign bypasses standard email security controls with little resistance.
The Fake Trademark Notice
The phishing emails analyzed by Raven AI specifically impersonated legal notifications. They warned recipients of potential trademark infringements and urged them to act quickly to avoid penalties.
This urgency, combined with the credibility of a Google-branded service, increases the likelihood of victims clicking the malicious link.
What Attackers Gain
Once on the phishing site, victims are prompted to enter Google Workspace credentials. Stolen usernames and passwords can be used to:
- Access corporate Gmail and Drive data
- Exfiltrate sensitive documents
- Impersonate employees in spear-phishing campaigns
- Move laterally across connected SaaS platforms
For enterprises, compromised Google accounts often serve as entry points for larger breaches.
Researcher Warnings
Raven AI emphasized that the attack demonstrates a dangerous trend: abusing legitimate platforms for phishing. By piggybacking on trusted services like Google AppSheet, attackers no longer need to spoof domains or craft fake headers — the messages come from legitimate infrastructure.
“This is phishing hiding in plain sight,” one researcher noted. “The trust users place in Google services is being weaponized against them.”
The AppSheet phishing scam highlights how attackers are shifting tactics to exploit legitimate cloud services rather than relying on crude email spoofing. For enterprises, this means that traditional filters are no longer enough — even messages delivered by trusted providers may carry hidden threats.
For individuals, the lesson is simple: not every email from Google is safe. Urgent requests, especially around legal or financial issues, should be verified independently before taking action.
