Security researchers at Malwarebytes have newly discovered a phishing campaign abusing legitimate Windows device management features to take control of victims’ computers without installing traditional malware.
Instead of tricking users into downloading a malicious file, the attack relies on a convincing fake Google Meet update prompt.
A Simple but Effective Phishing Page
Victims encounter a webpage that mimics a Google Meet notification urging them to install the latest version to continue using the service.
At first glance, the page appears legitimate, using familiar branding and messaging. But clicking either the “Update now” or “Learn more” buttons triggers a hidden Windows command rather than a software update.
The page launches a Windows deep link using the ms-device-enrollment URI scheme.
This built-in feature is normally used by corporate IT departments to enroll employee devices into a mobile device management (MDM) system.
In this attack, however, the enrollment request connects to an attacker-controlled management server instead.
How the Attack Takes Over a Device
When users click the button, Windows automatically opens the “Set up a work or school account” dialog—an official system prompt that looks completely legitimate.
The enrollment form is already pre-filled with attacker-controlled information, including a fake corporate account and a server address hosted on a legitimate cloud management platform.
If the user continues through the setup process, their computer becomes enrolled in the attacker’s MDM system.
Once enrolled, attackers can remotely control the device using the same capabilities available to corporate IT administrators, including:
Installing or removing software
Changing system settings
Reading files on the device
Locking the screen
Completely wiping the computer
Because the operating system itself performs these actions, there may be no malware file or suspicious process for security tools to detect.
Abuse of Legitimate Features
This campaign highlights a growing trend where attackers rely on legitimate system features rather than traditional malware.
The attack uses:
A real Windows device enrollment mechanism
A legitimate cloud MDM platform
An authentic system dialog
Since everything involved is technically legitimate, many security tools struggle to identify the activity as malicious.
How to Check if Your Device Is Affected
Users who may have interacted with the fake update page should verify whether their device has been enrolled in an unknown management system.
To check:
Open Settings
Navigate to Accounts → Access work or school
Look for any unfamiliar entries
If a suspicious enrollment appears, select it and choose Disconnect immediately.
Security experts also recommend running a full malware scan, as attackers may have pushed additional software to the system after enrollment.
Staying Safe from Similar Attacks
To avoid falling victim to similar scams:
Avoid installing updates from websites or pop-ups
Only update applications through official software channels
Be cautious of unexpected prompts requesting system changes
Verify URLs before interacting with update notifications
As attackers increasingly exploit built-in system tools instead of malware, recognizing suspicious workflows is becoming just as important as spotting malicious downloads.
Leave a Reply