← Back to Cybersecurity News Center
Severity
HIGH
CVSS
5.0
Priority
0.694
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
A Vietnamese-linked threat group called AccountDumpling has compromised approximately 30,000 Facebook Business accounts by routing phishing emails through Google AppSheet's legitimate infrastructure, bypassing standard spam filters. The operation captures both passwords and two-factor authentication codes, then locks victims out and resells account access through an attacker-controlled storefront. Organizations using Facebook Business accounts for advertising, customer engagement, or revenue generation face direct financial loss and brand exposure if accounts are seized and their advertising credit is drained or audience data is sold.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you manage a Facebook business page or run Facebook ads.
🔓
What got out
Suspected: Facebook business account login passwords
Suspected: One-time codes sent to your phone for login
Suspected: Access to your business page and ad account
✅
Do this now
1 Change your Facebook password right now at facebook.com/settings. 2 Turn on a stronger second login step, use an app like Google Authenticator instead of a text message. 3 Check your Facebook Business account for any people or apps you do not recognize and remove them.
👀
Watch for these
Emails from Google or Facebook asking you to verify your account urgently.
Unexpected charges on the payment method linked to your Facebook ads.
Messages from your Facebook page that you did not send.
🌱
Should you worry?
This attack targets people who run Facebook business pages, not regular personal accounts. If you only use Facebook personally, your risk is low. If you run ads or manage a business page, act now, stolen accounts are sold quickly and hard to recover.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
AccountDumpling (Vietnamese-linked, unattributed to named APT group)
TTP Sophistication
HIGH
11 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Facebook Business accounts; abused delivery/hosting platforms: Google AppSheet, Netlify, Vercel, Google Drive, Canva, Telegram
Are You Exposed?
⚠
Your industry is targeted by AccountDumpling (Vietnamese-linked, unattributed to named APT group) → Heightened risk
⚠
You use products/services from Facebook Business accounts; abused delivery/hosting platforms: Google AppSheet → Assess exposure
⚠
11 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Facebook Business accounts carry direct financial value: advertising credit balances, saved payment methods, and audience data built over years. A seized account can be drained of ad credit within hours and used to run malicious campaigns that damage your brand with your own audience. Beyond immediate financial loss, unauthorized access to Business Manager data may expose customer audience lists and engagement data, creating potential obligations under data protection regulations applicable to your markets.
You Are Affected If
Your organization uses Facebook Business Manager to manage advertising, pages, or customer communications
Business Manager users access their accounts via email-linked login rather than phishing-resistant hardware MFA (FIDO2)
Your email security gateway relies primarily on sender reputation filtering and does not inspect link destinations for hosted credential-harvesting pages
Users are permitted to follow links to netlify.app, vercel.app, Google Drive, or Canva from unsolicited emails without proxy/CASB inspection
Your organization has no formal monitoring or alerting on Facebook Business Manager admin-role changes or payment method modifications
Board Talking Points
Attackers are stealing Facebook Business accounts at scale by routing fake emails through Google's own infrastructure, making them appear legitimate — approximately 30,000 accounts have been compromised.
We should immediately enforce stronger login security (hardware-based two-factor) on all Facebook Business accounts and brief staff on this campaign within the next five business days.
If no action is taken, we risk losing control of our advertising accounts, having our ad credit drained, and having our customer audience data accessed or sold.
GDPR / applicable data protection law — Facebook Business Manager audience and customer data constitutes personal data under most privacy frameworks; unauthorized access by a third party may trigger breach notification obligations depending on jurisdiction and data scope
Technical Analysis
AccountDumpling executes a multi-stage living-off-trusted-sites (LOTS) credential theft pipeline with no associated CVE.
The attack chain exploits trust relationships rather than unpatched software.
Delivery: phishing emails originate from Google AppSheet's legitimate email-sending infrastructure, defeating sender-reputation-based spam filters.
Hosting: credential-harvesting pages are staged on Netlify, Vercel, Google Drive, and Canva, all high-reputation domains that bypass URL reputation controls. Collection: the harvesting pages capture both passwords and TOTP/SMS-based 2FA codes (CWE-287, improper authentication; CWE-1021, UI redress/overlay enabling credential interception). Exfiltration and resale: captured credentials are exfiltrated via Telegram channels and resold through an attacker-operated storefront, constituting a full commercial theft-to-resale pipeline (CWE-359, exposure of private information). MITRE coverage: T1566.002 (spearphishing via link), T1598.003 (spearphishing for information via service), T1056.003 (web portal capture), T1539 (steal web session cookie), T1114 (email collection), T1071.001 (web protocols for C2), T1567 (exfiltration over web service), T1583.006 (acquire web services), T1608.005 (stage capabilities via link target), T1585.001 (establish social media accounts), T1078 (valid accounts). No patch exists; the attack exploits platform trust, not a vulnerability. Remediation centers on authentication hardening, user awareness, and platform-level abuse reporting.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to legal and executive leadership if audit of the Meta Business Manager Audit Log confirms unauthorized ad spend against organizational payment methods, export of Custom Audience or customer PII, or if the number of compromised admin accounts suggests the organization's Meta Business Manager was resold through AccountDumpling's storefront — each of these conditions may trigger breach notification obligations under GDPR, CCPA, or state data protection statutes depending on the nature of audience data held in the account.
1
Containment: Audit all Facebook Business Manager accounts your organization owns: verify authorized administrators, remove unrecognized users, and revoke any third-party app permissions not explicitly sanctioned. If compromise is suspected, immediately use Facebook's Remove Account Access controls in Business Manager settings and report to Meta Business Support.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected accounts and revoke attacker-controlled access vectors before eradication begins
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Export Facebook Business Manager admin roster via Settings > People > Export and diff against your last known-good admin list (maintain this in a spreadsheet under version control). Use Meta's Business Account Activity log (Settings > Security Center > Recent Activity) to identify logins from unrecognized IPs. For third-party app permissions, navigate to Business Settings > Integrations > Connected Apps and screenshot the full list before revoking anything unrecognized — this preserves evidence before you destroy attacker access.
Preserve Evidence
Before revoking access, capture: (1) Full screenshot and CSV export of Business Manager People/Partners list showing all current admins and their email addresses, (2) Meta Business Security Center > Active Sessions export showing session tokens, IP addresses, device fingerprints, and login timestamps for all active sessions — pay specific attention to sessions initiated from Vietnamese IP ranges (103.x.x.x, 27.x.x.x VNPT/Viettel blocks) or Mullvad/NordVPN exit nodes, (3) Meta Business Manager audit log export (Settings > Audit Log) covering the 30-day window prior to detection, documenting any permission escalations, ad account additions, or payment method changes added by AccountDumpling operators post-account takeover.
2
Detection: Review email gateway logs for messages originating from appsheet.com or *.appsheet.com that contain links to netlify.app, vercel.app, drive.google.com, or canva.com landing pages not provisioned by your organization. Query SIEM for login events to Facebook Business Manager from unexpected geolocations or IP ranges, particularly originating from Vietnam (VN) or anonymizing infrastructure. Look for session token reuse from new devices following credential entry.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate email delivery artifacts with downstream authentication anomalies to establish the AccountDumpling kill chain
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-3 (Content of Audit Records)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without SIEM, run this PowerShell one-liner against Microsoft 365 or Google Workspace email logs exported to CSV: `Import-Csv mail_log.csv | Where-Object {$_.SenderDomain -like '*appsheet.com' -and ($_.Body -like '*netlify.app*' -or $_.Body -like '*vercel.app*' -or $_.Body -like '*canva.com*')} | Select-Object Timestamp,Sender,Recipient,Subject,Links | Export-Csv hits.csv`. For session anomaly detection without SIEM, enable Meta's login alerts (Settings > Security > Login Alerts) and configure them to send to a monitored SOC mailbox. Use MXToolbox or AbuseIPDB CLI lookups against sender IPs extracted from email headers to flag Vietnamese ASNs (AS45899 VNPT, AS7552 Viettel). For link inspection, run suspicious URLs through urlscan.io API before clicking.
Preserve Evidence
Capture before analysis: (1) Raw email headers (including x-originating-ip, Received chain, and DKIM/DMARC results) from any appsheet.com-delivered messages — these will show Google's legitimate DKIM signature passing despite the phishing payload, confirming the trusted-platform abuse technique, (2) Email gateway quarantine logs showing messages with sender domain appsheet.com and embedded hyperlinks pointing to netlify.app or vercel.app subdomains — extract the full URL paths as these typically contain victim-specific tracking tokens that can scope the campaign, (3) Facebook Business Manager login history export (Meta Security Center) showing authentication events with device fingerprint changes immediately following credential submission to the harvesting page — the real-time relay attack means attacker login will appear within seconds to minutes of victim credential entry, (4) DNS query logs from your resolver for any employee lookups of netlify.app or vercel.app subdomains not matching your known application inventory.
3
Eradication: Enforce phishing-resistant MFA (FIDO2/hardware security keys) on all Facebook Business Manager accounts; SMS and TOTP-based 2FA is defeated by this campaign's real-time relay harvesting. Remove any harvesting page URLs identified from organization-controlled DNS blocklists and proxy/CASB deny lists. Report abusive infrastructure to Netlify, Vercel, and Google via their abuse reporting channels to accelerate takedown.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: eliminate the attacker's harvested credential utility by invalidating session tokens, blocking relay infrastructure, and closing the MFA bypass vector exploited by AccountDumpling's real-time OTP relay
NIST IA-5 (Authenticator Management)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
For organizations without CASB: add identified netlify.app and vercel.app phishing subdomains to Windows Defender SmartScreen via Group Policy (Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen) and to Pi-hole or your internal DNS RPZ blocklist. Use the free Quad9 DNS resolver (9.9.9.9) as upstream, which blocks known malicious domains by default. For FIDO2 enforcement without enterprise MDM: Meta Business Manager supports hardware security keys natively under Settings > Security > Two-Factor Authentication — walk each admin through enrolling a YubiKey 5 (or free Google Titan key via their security key program) and then disable SMS 2FA at the account level. Document enforcement completion per user in a spreadsheet signed off by the account owner.
Preserve Evidence
Before eradication actions, preserve: (1) The full URLs of identified harvesting pages hosted on netlify.app or vercel.app, including any URL parameters (victim tracking tokens, campaign IDs) — these are forensic evidence of campaign infrastructure scope and should be submitted to abuse channels with full context, (2) Screenshot and HTTP response capture (using curl -I or Burp Suite in passive mode) of the phishing landing pages before reporting to hosting providers causes takedown — this documents the real-time OTP relay mechanism and is needed for abuse reports and law enforcement referrals, (3) List of all current Facebook Business Manager session tokens (visible in Security Center > Where You're Logged In) before forcing a global session invalidation — document IP, device, and timestamp of each active session to distinguish legitimate from attacker-controlled sessions.
4
Recovery: After credential reset and MFA re-enrollment, verify that no unauthorized ad campaigns, payment method changes, or audience data exports occurred within the compromise window. Restore any modified Business Manager settings to known-good configurations. Enable Meta's login alerts and trusted device controls for all Business Manager users.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: verify Business Manager integrity against pre-compromise baseline, confirm attacker persistence mechanisms are eliminated, and restore operational trust in the advertising account before resuming revenue-generating activity
NIST IR-4 (Incident Handling)
NIST CP-10 (System Recovery and Reconstitution)
NIST AU-11 (Audit Record Retention)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
Without a dedicated SaaS security tool, conduct the Business Manager integrity audit manually using Meta's Audit Log (Settings > Audit Log): filter by the compromise window and export to CSV, then grep for action types: 'ADD_PAYMENT_METHOD', 'CREATE_AD_CAMPAIGN', 'EXPORT_AUDIENCE', 'ADD_ADMIN', 'CHANGE_ROLE'. For each flagged event, verify the actor email matches a legitimate employee. Check active ad campaigns under Ads Manager for any with unfamiliar names, unusual targeting (geographic targeting of Vietnam, Southeast Asia), or payment against a card/account not belonging to your organization. Run `diff` against a prior export of Business Manager settings if one exists.
Preserve Evidence
Capture before recovery actions: (1) Full Meta Business Manager Audit Log export covering from 30 days pre-incident through current date — this is the authoritative record of what AccountDumpling operators did post-account takeover, including any ad spend, audience list access, or page permission changes, (2) Active Ads Manager campaign list export (all campaigns, all statuses) including spend-to-date, payment method associated, audience targeting parameters, and creative assets — unauthorized campaigns may be running charges against your payment method or harvesting your Custom Audience data, (3) Payment method list from Business Manager (Settings > Payments) with full card/account details masked but last-four documented — compare against authorized payment instruments to identify any attacker-added payment methods.
5
Post-Incident: This campaign exposed a control gap: reliance on sender-reputation filtering as a primary phishing defense is insufficient when attackers route through legitimate SaaS senders. Evaluate your email security stack's ability to inspect link destinations rather than sender domain alone. Implement a formal SaaS application inventory so links to unsanctioned hosting platforms (Netlify, Vercel) can be flagged contextually. Develop or update a social media account compromise playbook covering Facebook Business Manager specifically.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: document the AccountDumpling trusted-platform abuse technique as a lessons-learned finding, update email security controls and detection rules to address URL-destination inspection gaps, and formalize the Facebook Business Manager compromise playbook for future incidents
NIST IR-8 (Incident Response Plan)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST RA-3 (Risk Assessment)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 2.1 (Establish and Maintain a Software Inventory)
Compensating Control
For email link-destination inspection without enterprise SEG: deploy the free Sublime Security community edition or configure ProofPoint/Mimecast sandbox rules (if already licensed) to detonate links from appsheet.com senders. Write a Sigma rule targeting your email gateway logs: `title: AccountDumpling SaaS Phishing Relay | detection: keywords: ['appsheet.com'] AND url_domain: ['netlify.app','vercel.app','canva.com'] AND NOT url_domain in your_approved_saas_list` — submit to the SigmaHQ community repo. For the SaaS inventory, start a CSV tracking: platform name, business owner, approved use cases, known domains — Netlify and Vercel should now appear as 'unapproved hosting' unless your dev team uses them. Publish the Facebook Business Manager compromise runbook in your internal wiki and schedule a tabletop exercise.
Preserve Evidence
Preserve for lessons-learned documentation: (1) Full timeline of AccountDumpling TTPs observed in this incident mapped to MITRE ATT&CK: T1566.002 (Spearphishing Link), T1557 (Adversary-in-the-Middle for OTP relay), T1078.004 (Valid Accounts: Cloud Accounts for post-compromise Business Manager access), T1583.006 (Acquire Infrastructure: Web Services for Netlify/Vercel hosting) — document which techniques your existing controls detected and which they missed, (2) Email gateway efficacy report showing that appsheet.com sender passed DMARC/DKIM/SPF checks — this documents the specific control gap for the board-level incident report and justifies investment in URL sandboxing, (3) Metrics on compromise window: time from phishing email delivery to account takeover, time from takeover to detection, time from detection to containment — these feed your MTTD and MTTR KPIs per NIST 800-61r3 §4 recommendations.
Recovery Guidance
After credential reset, FIDO2 MFA enrollment, and Business Manager audit completion, monitor Meta Security Center login alerts daily for a minimum of 30 days, as AccountDumpling operators who successfully resell account access may attempt re-entry using purchased credentials before victims complete full eradication. Verify with Meta Business Support that no cloned or shadow Business Manager accounts were created using your organization's Page or ad account assets during the compromise window, as this is a documented post-compromise persistence technique in account resale operations. Maintain the pre-incident and post-incident Audit Log exports under legal hold for 12 months in the event of regulatory inquiry or civil liability from fraudulent ad spend.
Key Forensic Artifacts
Meta Business Manager Audit Log (Settings > Audit Log): primary forensic record of all AccountDumpling post-compromise actions including admin additions, payment method changes, ad campaign creation, and audience data exports — export full log for the 30-day window surrounding the incident and retain under legal hold
Email gateway message trace logs for sender domain *appsheet.com: extract raw headers (Received chain, x-originating-ip, DKIM signature results) to document how Google's legitimate AppSheet infrastructure was used to bypass sender-reputation filtering — these headers prove the trusted-platform abuse technique and are required for abuse reports to Google, Netlify, and Vercel
Meta Security Center > Active Sessions and Login History export: contains session token identifiers, IP addresses, ASN/geolocation, and device fingerprints for all authentication events — the real-time OTP relay attack will manifest as an attacker session originating from a Vietnamese or anonymizing IP appearing within seconds of a legitimate session from the victim's device, which is the smoking-gun artifact for this specific attack chain
Ads Manager campaign export (all statuses, full date range): documents any unauthorized ad campaigns created by AccountDumpling operators post-takeover, including targeting parameters, creative content, spend amounts, and associated payment instruments — required for financial fraud documentation and potential chargeback claims against unauthorized charges
DNS resolver query logs or proxy/CASB logs showing employee browser requests to netlify.app or vercel.app subdomains: the specific subdomain paths in these queries will contain victim-tracking tokens embedded by AccountDumpling's phishing kit, allowing you to correlate which employees received and clicked the phishing link and scope the full victim population within your organization
Detection Guidance
Email gateway: alert on messages where the sending domain is appsheet.com or a subdomain thereof and the embedded URLs resolve to netlify.app, vercel.app, drive.google.com, or canva.com.
These domain pairings have no legitimate business use case in most organizations.
CASB/proxy: flag or block outbound authentication POST requests to pages hosted on netlify.app, vercel.app, or canva.com that are not in your approved SaaS inventory.
Facebook Business Manager audit log: query for admin role additions, payment method changes, or ad account ownership transfers not initiated by known users, particularly during off-hours. SIEM behavioral: correlate Facebook Business login events from new device fingerprints immediately following a user clicking a link from an AppSheet-originated email. Threat intelligence: IOCs from this campaign have not been publicly confirmed in structured feeds as of this item's sourcing date; monitor T3 sources (The Hacker News, CyberSecurityNews) for published IOC drops. Optional: Threat intelligence teams monitoring Telegram-based threat markets may search for AccountDumpling storefront listings referencing Facebook Business account sales.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
4 domains
Type Value Enrichment Context Conf.
⌘ DOMAIN
appsheet.com
VT
US
Legitimate Google AppSheet domain abused as phishing email sender to bypass reputation filters; not inherently malicious — flag unexpected emails from this domain containing external links
HIGH
⌘ DOMAIN
netlify.app
VT
US
Legitimate hosting platform abused to stage credential-harvesting pages in this campaign
MEDIUM
⌘ DOMAIN
vercel.app
VT
US
Legitimate hosting platform abused to stage credential-harvesting pages in this campaign
MEDIUM
⌘ DOMAIN
canva.com
VT
US
Legitimate design/hosting platform abused for phishing page staging
MEDIUM
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
4 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: AccountDumpling: Vietnamese Phishing Ring Abuses Trusted Platforms to Harvest 30
let malicious_domains = dynamic(["appsheet.com", "netlify.app", "vercel.app", "canva.com"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Falcon API IOC Import Payload (4 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "appsheet.com",
"source": "SCC Threat Intel",
"description": "Legitimate Google AppSheet domain abused as phishing email sender to bypass reputation filters; not inherently malicious \u2014 flag unexpected emails from this domain containing external links",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-31T00:00:00Z"
},
{
"type": "domain",
"value": "netlify.app",
"source": "SCC Threat Intel",
"description": "Legitimate hosting platform abused to stage credential-harvesting pages in this campaign",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-31T00:00:00Z"
},
{
"type": "domain",
"value": "vercel.app",
"source": "SCC Threat Intel",
"description": "Legitimate hosting platform abused to stage credential-harvesting pages in this campaign",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-31T00:00:00Z"
},
{
"type": "domain",
"value": "canva.com",
"source": "SCC Threat Intel",
"description": "Legitimate design/hosting platform abused for phishing page staging",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-31T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["appsheet.com", "netlify.app", "vercel.app", "canva.com"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1114
T1539
T1598.003
T1566.002
T1071.001
T1567
+5
AT-2
SC-7
SI-3
SI-4
SI-8
AC-2
+4
164.312(d)
164.308(a)(5)(i)
MITRE ATT&CK Mapping
T1114
Email Collection
collection
T1539
Steal Web Session Cookie
credential-access
T1567
Exfiltration Over Web Service
exfiltration
T1585.001
Social Media Accounts
resource-development
T1078
Valid Accounts
defense-evasion
Guidance Disclaimer
