Service abuse: AppSheet infrastructure with suspicious indicators

calendar Oct 6, 2025  ยท
Share on: linkedin copy

Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.

Sublime rule (View on GitHub)

 1name: "Service abuse: AppSheet infrastructure with suspicious indicators"
 2description: "Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "noreply@appsheet.com"
 8  and (
 9    // recently registered or suspicious links
10    (
11      any(filter(body.links, .href_url.domain.root_domain != "appsheet.com"),
12          network.whois(.href_url.domain).days_old <= 10
13          or .href_url.domain.root_domain in $free_file_hosts
14          or .href_url.domain.domain in $free_subdomain_hosts
15          or .href_url.domain.root_domain in $url_shorteners
16          // account for URL rewrites
17          or (
18            any(.href_url.query_params_decoded['domain'],
19                (
20                  . in $url_shorteners
21                  or . in $free_subdomain_hosts
22                  or . in $free_file_hosts
23                )
24            )
25          )
26      )
27    )
28    // suspicious display name
29    or (
30      regex.icontains(sender.display_name,
31                      '(?:legal|misuse|compliance|violation|enforcement)',
32                      // unicode blank character confusables in display name
33                      '\x{00A0}|\x{1680}|\x{2000}|\x{200A}|\x{200B}|\x{202F}|\x{205F}|\x{3000}'
34      )
35      // commonly impersonated brands
36      or strings.ilike(strings.replace_confusables(sender.display_name),
37                       '*Apple*',
38                       '*Amazon*',
39                       '*Binance*',
40                       '*Facebook*',
41                       '*Meta*',
42                       '*Google*',
43                       '*LinkedIn*'
44      )
45    )
46    // suspicious pattern in body
47    or regex.icontains(body.current_thread.text,
48                       '(?:(Copyright|Advertising|Content|Data|Intellectual Property|I\.?\s?P\.?\b) (?:Polic(y|ies))|Violation|Contravention|Complaint|Misuse)|(?:(Enforce(ment)?|Required|Mandatory|Immediate) (?:Action|Response))|Cease (\&|and) Desist'
49    )
50    // NLU failsafe
51    or (
52      any(ml.nlu_classifier(body.current_thread.text).intents,
53          .name in~ ("cred_theft", "steal_pii", "job_scam")
54          and .confidence in~ ("medium", "high")
55      )
56      // negate the NLU result if there is only a single link leading back to AppSheet (likely benign)
57      and not (
58        length(body.links) == 1
59        and any(body.links,
60                .display_text == "Powered by AppSheet"
61                and .href_url.domain.root_domain == "appsheet.com"
62        )
63      )
64    )
65  )
66  // negate legitimate use of AppSheet within the org
67  and not (
68    length(headers.reply_to) is not null
69    and any(filter(headers.reply_to, .email.domain.root_domain != "appsheet.com"),
70            .email.domain.root_domain in~ $org_domains
71            or .email.domain.root_domain in~ $recipient_domains
72    )
73  )  
74
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Evasion"
79  - "Social engineering"
80detection_methods:
81  - "Content analysis"
82  - "Natural Language Understanding"
83  - "URL analysis"
84  - "Whois"
85id: "5937646a-60b0-5b86-9df0-94c8d18aa774"
to-top