Cybersecurity analysts have identified a phishing campaign that can quietly hand control of a Windows computer to attackers after a single click. The scam appears as a routine update notice for Google Meet, but the prompt is fraudulent and redirects victims into a device management system controlled by threat actors.
Unlike many phishing schemes, the technique does not steal passwords, download obvious malware, or display clear warning signs. Instead, the attack relies on convincing users to interact with a page that imitates a standard software update message.
A convincing but fake update message
The deceptive webpage tells visitors they must install the latest version of Meet in order to continue using the service. The design closely resembles a legitimate update notification and uses familiar colors and branding that many users associate with Google products.
However, both the “Update now” button and the “Learn more” link do not connect to any official Google resource. Instead, they activate a special Windows deep link known as ms-device-enrollment:.
This feature is a built-in Windows mechanism designed for corporate environments. IT administrators commonly use it to send employees a link that allows a computer to be enrolled in a company’s device management system with minimal effort. In the attack campaign, the same capability is redirected to infrastructure operated by the attacker.
How the enrollment process begins
Windows enrollment links such as ms-device-enrollment: are commonly used in corporate environments where organizations need to configure large numbers of laptops quickly. The link automatically opens Windows settings and connects the device to an enterprise management server.
Once enrolled, the device becomes part of a management framework that allows administrators to deploy software updates, enforce security policies, and manage system configurations remotely.
Attackers exploit this workflow because users are accustomed to seeing this setup process when joining corporate networks, making it appear legitimate.
When a victim clicks the link, Windows immediately bypasses the browser and opens the operating system’s “Set up a work or school account” dialog. This is the same interface that appears when an organization configures a new employee laptop.
The enrollment request arrives with several fields already filled in. The username displayed is collinsmckleen@sunlife-finance.com, a domain designed to resemble the financial services firm Sun Life Financial. Meanwhile, the server connection is preconfigured to an endpoint hosted at tnrmuv-api.esper[.]cloud, which is part of infrastructure operated by Esper.
The attacker’s objective is not to impersonate the victim’s account perfectly. Instead, the goal is to persuade the user to continue through the legitimate Windows enrollment process. Even if only a small portion of targeted users proceed, that is enough for attackers to gain access to some systems.
What attackers gain after enrollment
If the victim clicks Next and completes the setup wizard, the computer becomes registered with a remote Mobile Device Management (MDM) server.
MDM platforms are commonly used by organizations to manage employee devices. Once a device joins such a system, administrators can remotely install or remove applications, modify operating system settings, access stored files, lock the device, or completely erase its contents.
Because the commands come from
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: