Cybersecurity researchers have uncovered a new phishing campaign that can give attackers full control of a victim’s computer with just a single click. The attack disguises itself as a legitimate Google Meet update notification, tricking users into enrolling their Windows devices into a malicious device management system.
The campaign highlights how cybercriminals are increasingly exploiting trusted brands and legitimate system features rather than relying on traditional malware downloads.
The Attack: A Convincing Fake Update
The scam begins with a webpage that looks like a legitimate Google Meet update prompt. The page uses familiar branding and displays a message encouraging users to update the app to continue using the service.
The message typically reads something similar to:
“To keep using Meet, install the latest version.”
At first glance, nothing seems suspicious. However, both the “Update now” and “Learn more” buttons redirect users away from Google’s infrastructure and trigger a hidden Windows command instead.
Unlike many phishing attacks, this one doesn’t attempt to steal passwords or trick users into downloading obvious malware.
How the Hack Works
The attack abuses a built-in Windows feature called the ms-device-enrollment: URI scheme. This function is normally used by organizations to enroll employee devices into corporate management systems for IT administration.
In this campaign, attackers simply point that enrollment link to their own server.
Once a victim clicks the fake update button:
- The Windows device automatically initiates a device management enrollment process.
- The computer connects to a server controlled by the attackers.
- The attacker gains administrative-level management capabilities over the machine.
This gives threat actors the ability to remotely manage the device in ways similar to a company IT administrator.
What Attackers Can Do After Access
Once the victim’s PC is enrolled in the attacker-controlled management system, the attackers can potentially:
- Install additional software or malware
- Change system settings
- monitor activity or collect data
- Maintain persistent access to the device
- deploy further attacks inside a network
Because the process uses legitimate system management features rather than traditional malware files, it may bypass some security alerts.
Part of a Growing Phishing Trend
Security researchers say this campaign is part of a broader trend where cybercriminals impersonate popular collaboration tools such as video conferencing platforms.
Recent attacks have used fake Zoom or Google Meet pages that prompt victims to install software updates or troubleshooting tools, which are actually spyware or monitoring software installed in stealth mode.
These social engineering tactics rely heavily on familiarity—people trust platforms they use daily for work or meetings.
How to Stay Safe
Security experts recommend several precautions to avoid falling victim to similar scams:
1. Avoid installing updates from webpages
Only update apps through official sources such as the vendor website or built-in update tools.
2. Check URLs carefully
Fake pages often closely resemble legitimate sites but use slightly different domains.
3. Be cautious with unexpected update prompts
If an update request appears unexpectedly during a meeting or from a random link, verify it before clicking.
4. Monitor device management settings
Unexpected device enrollment activity can indicate compromise.
The Bigger Picture
This attack demonstrates how cybercriminals are shifting from traditional malware distribution toward abusing legitimate system features. By using built-in Windows management tools, attackers can gain powerful access with minimal warning signs.
In cybersecurity, sometimes the most dangerous threats are not the complex ones—but the ones that require just a single click.
