Hackers are using legitimate Google AppSheet emails to bypass security filters and trick users into clicking malicious links.
According to the NJCCIC (New Jersey Cybersecurity and Communications Integration Cell), a new phishing campaign is exploiting Google’s trusted AppSheet platform to deceive Google Workspace users with fake trademark enforcement notices. The scam uses authentic-looking emails sent from noreply@appsheet.com, an actual Google domain, to lure users into clicking on links that redirect to phishing sites.
Unlike typical spoofed emails, these messages originate from Google’s own mail servers and pass standard security checks, including SPF, DKIM, and DMARC. As a result, the phishing emails appear trustworthy, even to trained users and automated email filters.
AppSheet is a no-code application builder from Google, often used within organizations that rely on Google Workspace. Because it's a native Google service, users and security systems are conditioned to trust communications from it. Attackers use this trust by crafting emails that appear to come from AppSheet but contain misleading content, specifically, legal threats such as "trademark enforcement notices."
Reports indicate a sharp increase in AppSheet-based phishing activity since March 2025, with a major spike on April 20, when nearly 11% of all phishing emails globally were sent using AppSheet.
Security experts point out that authentication-based email filtering is no longer enough. Instead, email security tools must analyze the content and context of the message to determine whether it makes sense coming from a trusted source.
According to HackRead, “the reliance on commonly used or well-known brands in social engineering attacks is nothing new; however, these attacks still remain quite effective.” By “leveraging brands that are known to potential victims,” hackers take advantage of the trust those brands have built, allowing malicious emails to “blend in with normal day-to-day activities, further increasing the trust level of the potential victim.”
HackRead also noted that using a trusted platform “removes a key red flag for victims,” since “many technical filters and controls are bypassed.” To counter this, users must learn “multiple ways to identify potential social engineering attacks, including identifying potentially harmful URLs and other traps.”
Google AppSheet phishing shows how easy it is for attackers to hide behind trusted platforms. Emails sent from Google’s own servers pass every standard check, so they look authentic to both users and filters. Legal threats like trademark notices add pressure, increasing the chances that someone clicks before thinking.
Paubox recommends Inbound Email Security as a stronger layer of protection. Its generative AI looks at context, tone, and sender behavior to catch messages that don’t fit normal patterns, even when they come from trusted domains. That means suspicious emails are blocked before they ever land in an inbox.
Because they originate from Google’s own servers and pass all standard authentication checks, these emails don’t trigger red flags in most security systems.
Legal threats like trademark violations are urgent and emotionally charged, making recipients more likely to click links without verifying authenticity.
While commonly used, URL shorteners can obscure destination links. Organizations should educate users to be cautious and use preview tools or avoid them entirely in sensitive communications.
Organizations should implement behavior-based threat detection, AI-driven message context analysis, and continuous user awareness training.
There’s no public response from Google yet regarding this specific misuse of AppSheet, though affected organizations are being advised to report and filter such messages internally.