Fake Google Meet Update Phishing Attack Grants Remote PC Access

A phishing campaign has been identified that uses a fake Google Meet update prompt to enroll Windows computers into a device management system controlled by attackers. This development is notable because it leverages legitimate Windows features to gain unauthorized remote access to affected devices.

The phishing page presents itself as a Google Meet update, prompting users to click “Update now” or “Learn more” buttons. When clicked, these buttons activate the Windows ms-device-enrollment: URI, which opens the official “Set up a work or school account” dialog. The dialog is pre-filled with server details controlled by the attacker, making the process appear legitimate to the user.

After the device is enrolled through this method, the attacker’s Mobile Device Management (MDM) server can use standard operating system functions to install or remove software, alter system settings, access files, and even lock or erase the device. The MDM server used in the attack is hosted on Esper, a commercial MDM platform, with specific blueprint and group identifiers embedded in the enrollment link.

Technical analysis from multiple sources, including security researchers and industry forums, has confirmed that this campaign impersonates Google Meet to enroll Windows devices into malicious MDM systems. Reports indicate that users who interact with the phishing page unknowingly grant adversaries full administrative control over their computers.

What the numbers show

• The phishing campaign uses the ms-device-enrollment: URI to trigger Windows enrollment dialogs
• Esper, a legitimate MDM provider, is used to host the attacker’s server with embedded group IDs
• Security researchers and technical analysis have documented the campaign since at least March 2026

In addition to the MDM enrollment method, security researchers have documented related phishing campaigns that use fake Google Meet and Zoom pages to distribute Teramind monitoring software. These campaigns repurpose Teramind, a legitimate monitoring tool, to conduct unauthorized surveillance on Windows machines.

One variant of the attack presents a fabricated Microsoft Store page labeled as “Google Meet for Meetings,” created by a fictitious entity. This page delivers a Teramind MSI installer, further expanding the range of tools available to attackers for unauthorized access and monitoring.

Community discussions on security forums and Reddit have highlighted that these phishing campaigns trick users into enrolling their devices or installing monitoring software, resulting in adversaries gaining full control over the affected systems. The use of legitimate platforms and software in these attacks increases the risk of users being deceived by the authenticity of the prompts and installation processes.

Industry reaction

Teramind stated it was not involved in the phishing campaign and condemned any unauthorized use of its software. The company confirmed its position in response to reports of its tool being repurposed for unauthorized surveillance through these phishing incidents.

* This article is based on publicly available information at the time of writing.