A phishing page masquerading as a Google Meet update notice can quietly hand a Windows PC to an attacker-controlled device management server after a single click. According to Malwarebytes, neither a password nor files are stolen, and there are no obvious red flags, because the attack relies on a legitimate Windows feature rather than malware.
The prompt uses a Windows URI, ms-device-enrollment:, which opens a native “Set up a work or school account” dialog and pre-populates the form with a victim’s details while directing the enrollment to the attacker’s endpoint. The attacker’s server is hosted on Esper, a legitimate MDM platform, and base64-encoded parameters reveal a pre-configured blueprint and group ID for the malicious enrollment.
If the user proceeds, the enrolled device can be managed remotely via the attacker’s MDM server, enabling software installation, settings changes, and even device wiping without the user’s knowledge. The article notes that attackers are increasingly abusing OS features and cloud platforms rather than deploying traditional malware.