Fake Google Meet Update Malware Lets Hackers Control Your PC
Imagine joining a routine Google Meet call, only to see a sleek update prompt in Google’s familiar blues and whites: “To keep using Meet, install the latest version.” One click, and boom, your Windows PC is silently handed over to hackers.
No shady downloads, no password prompts, no antivirus alerts. This phishing scam, spotted in the wild this week, weaponizes a built-in Windows feature to enroll your device in an attacker-run management system.
The trap starts with a phishing page mimicking Google Meet perfectly enough to fool a quick scan. Links like “Update now” or “Learn more” don’t load software; they trigger a Windows deep link via the ms-device-enrollment: URI scheme.
This is legit tech meant for IT pros to onboard company laptops with a single tap. Hackers just swapped the destination to their own server:Â tnrmuv-api.esper[.]cloud, tied to a fake domain impersonating Sun Life Financial (collinsmckleen@sunlife-finance.com).
Clicking opens Windows’ native “Set up a work or school account” wizard, pre-filled with the bogus details. Hit “Next” a few times, and your PC joins an MDM (Mobile Device Management) server controlled by criminals, said by malwarebytes.
MDM tools let admins remotely push apps, tweak settings, scan files, lock screens, or even wipe drives all invisibly.
The attacker’s server runs on Esper, a real enterprise MDM platform. Embedded in the URL is Base64-encoded data pointing to a custom blueprint (ID:Â 7efe89a9-cfd8-42c6-a4dc-a63b5d20f813) and group (ID:Â 4c0bb405-62d7-47ce-9426-3c5042c62500).
No malware executable means no traditional detection. It’s “living off the land,” abusing OS features and cloud services that attackers can’t easily block.
Cybercriminals ditching payloads for trusted tools. Browser filters miss it because it’s a system dialog, not a fake login page. Email scanners overlook the URI. Domain blocks falter against reputable hosts like Esper.
| Attack Feature | How It Evades Detection | Real-World Impact |
|---|---|---|
ms-device-enrollment: URI | Legit Windows handler; no browser warnings | Bypasses web/email security entirely |
| Esper Cloud Hosting | Reputable SaaS platform | Domain reputation tools stay silent |
| Native Enrollment Wizard | OS-built prompt, not spoofed HTML | Looks 100% trustworthy to users |
| No Malware/Payload | Relies on MDM for control | Antivirus scans find nothing |
How to Check and Remediate Now
If you’ve clicked through, say, from updatemeetmicro[.]online Assume compromise.
- Go to Settings > Accounts > Access work or school.
- Spot unfamiliar entries (e.g.,Â
sunlife-finance[.]com orÂesper[.]cloud)? Select and hit Disconnect. - Scan with real-time anti-malware for any post-enrollment payloads.
- IT admins: Lock down MDM via Microsoft Intune policies to bar unapproved servers.
Site: https://cybersecuritypath.com
About the Author
