Silent Takeover: How a Fake Google Meet Update Hijacks Windows Devices via MDM Enrollment

Executive Summary

A sophisticated yet deceptive phishing campaign is currently targeting Windows users by exploiting the operating system's native device management capabilities. Rather than stealing credentials or downloading malicious files, threat actors are leveraging a legitimate Windows URI scheme (ms-device-enrollment) to silently enroll victims' computers into an attacker-controlled Mobile Device Management (MDM) server.

By impersonating a Google Meet update notification, the attackers bypass traditional web-based defenses. The campaign relies on a "trust the process" social engineering tactic; once a user clicks "Update now," Windows bypasses the browser interface and launches a native system dialog. If the victim proceeds through the wizard, they unwittingly grant the attacker full administrative control over their machine, including the ability to install applications, enforce security policies, and wipe the device remotely. SecLookup’s threat intelligence team has identified and is actively blocking these malicious domains to prevent unauthorized device takeovers.

Threat Analysis

The Vector: ms-device-enrollment URI Scheme

The core of this attack lies in the abuse of the ms-device-enrollment: URI scheme. This is a built-in Windows protocol designed for enterprise environments, allowing IT administrators to send a single link to a user that automatically opens the "Set up a work or school account" dialog. While this feature is legitimate for corporate provisioning, it creates a dangerous vector when weaponized.

When a user visits the phishing page and clicks the update button, the link does not navigate to a website. Instead, it triggers a deep link that bypasses the browser entirely. The browser hands control to the Windows shell, which opens the native enrollment prompt. This behavior is particularly difficult to detect because it is a standard operating system function; standard web proxies and URL filters often cannot block or inspect the payload of an internal OS URI handler.

Social Engineering and Trust Exploitation

The social engineering in this campaign is deceptively simple but highly effective. The page is meticulously designed to mimic the visual identity of Google Meet, utilizing the correct color palette and branding. The prompt reads, "To keep using Meet, install the latest version." This creates a false sense of urgency and authority.

Crucially, the attackers do not attempt to perfect the impersonation of the victim's identity. The username field in the pre-populated dialog reads collinsmckleen@sunlife-finance.com (impersonating the corporate domain Sun Life Financial). However, the goal is not credential theft; it is device theft. The attacker's goal is to get the user to click through the trusted Windows workflow. Once the user clicks "Next" and accepts the enrollment, their machine becomes a managed device under the attacker's MDM server.

TTPs and MITRE ATT&CK Mapping

This campaign exhibits several TTPs that map to the MITRE ATT&CK framework:

• T1566.001 (Phishing: Spearphishing Link): The attackers use a link disguised as an update to lure the victim into clicking.

• T1546.004 (Windows Management Instrumentation Event Subscription): While technically related to WMI, the ms-device-enrollment mechanism relies on Windows management subsystems. The attack exploits the trust placed in OS-level management tools.

• T1059.001 (Command and Scripting Interpreter: PowerShell): While not explicitly mentioned in this specific report, successful MDM enrollment typically paves the way for the attacker to execute scripts or commands via PowerShell on the enrolled device.

The impact of T1546.004 in this context is severe because it bypasses the need for the attacker to gain shell access via an exploit; they simply trick the user into granting it via the OS's own permission model.

Indicators of Compromise (IOCs)

SecLookup’s telemetry has confirmed the following malicious entities associated with this campaign. Security teams should immediately block these assets to prevent device enrollment.

Malicious Domains

updatemeetmicro[.]online
tnrmuv-api.esper[.]cloud

Email Addresses

readscollinsmckleen@sunlife-finance.com
sendpoint@tnrmuv-api.esper.cloud

SecLookup Detection

SecLookup’s threat intelligence platform has been actively monitoring for this specific campaign. We have successfully detected and blocked the following malicious domains:

• updatemeetmicro.online: This domain hosts the phishing landing page. Our systems have flagged it as malicious based on recent association with phishing campaigns targeting Google Workspace users.

• tnrmuv-api.esper.cloud: This endpoint acts as the management server receiving the enrollment requests. It has been blacklisted to prevent the establishment of the MDM connection.

Our monitoring confirms that the updatemeetmicro.online domain returns a standard HTTP 200 response but is used solely for social engineering purposes. We are actively blocking traffic to this domain to protect SecLookup users from falling victim to this device takeover attack.

Recommendations

To defend against this type of "silent takeover" attack, organizations must adjust their security posture to include OS-level awareness.

1. Implement OS-Level Filtering: Ensure that your network security policies extend beyond web filtering to include blocking internal OS URI schemes. While difficult to implement at the perimeter, endpoint detection and response (EDR) solutions should be configured to alert on unusual ms-device-enrollment activity.

2. Train on Native Dialogs: Educate users that they should never click "Update" buttons in browser windows, regardless of how official they look. If a browser attempts to open a native Windows dialog for device enrollment, users should verify the "Server" or "Account" fields manually. In this campaign, the server field pointed to an external domain (tnrmuv-api.esper.cloud) rather than a legitimate corporate domain.

3. Verify Certificate Pinning and Domain Trust: While this specific attack uses a direct URI link, maintaining strict control over MDM enrollment URLs is vital. Organizations should ensure that their official MDM URLs are whitelisted and that users are trained to recognize official prompts from their IT department versus external phishing attempts.

4. Block Suspicious Domains: Ensure your DNS filtering and firewall rules include the blocked domains listed in the IOCs section above.

References

• One click on this fake Google Meet update can give attackers control of your PC by Malwarebytes Labs, Malwarebytes Labs. Published March 6, 2026.