A recent Malwarebytes report says a fake Google Meet update page is abusing a legitimate Windows device-enrollment mechanism. That makes the attack unsettling for a simple reason: no password theft is required at the start, and there may be no obvious malware prompt at all.
According to the report, the fake update page impersonates Google Meet well enough to pass a casual glance, then uses the ms-device-enrollment URI scheme to open a native Windows enrollment flow. If the victim keeps going, the machine can reportedly be enrolled into attacker-controlled management.
Instead of stealing credentials first, the attacker aims for control of the device itself.
This is phishing that leans on real operating-system workflows. The browser is just the handoff point.
Most people think phishing means a fake login page, a password prompt, or a malicious download. This reported campaign is different because it uses a legitimate Windows feature meant for IT provisioning.
Instead of seeing a suspicious executable, the victim sees a real system dialog. Native system prompts naturally feel safer than random browser pop-ups.
The click does not just open another webpage. It reportedly hands the browser session off to a trusted Windows workflow, which means many people will assume they are still moving through a legitimate update process.
The attacker is exploiting trust in the operating system itself, not only trust in a brand or domain.
That is a very different risk profile from a simple credential phish.
Open Windows Settings and review Accounts > Access work or school. Disconnect any unknown or suspicious enrollment immediately. Treat the device as potentially compromised and involve IT or incident response rather than assuming a password reset will fix the problem.
The browser remains the trust handoff point. If the fake update page does not get the click, the chain stops before Windows ever gets involved.
This post is based on Malwarebytes' March 6 article One click on this fake Google Meet update can give attackers control of your PC.
Why is the fake Google Meet update page dangerous?
Because it reportedly uses a legitimate Windows device-enrollment mechanism to open a real system workflow that can enroll the victim's PC into attacker-controlled management.
Why is this different from normal phishing?
The attack does not need to steal a password first or drop obvious malware. It abuses a legitimate operating-system feature and trusted management infrastructure instead.
What should someone do if they clicked and completed enrollment?
Treat the machine as potentially compromised, check Access work or school settings, disconnect any unknown enrollment, and involve IT or incident response immediately.
PhishClean helps detect suspicious pages and browser-level phishing signals before a single click moves into a much riskier workflow.
Install PhishClean FreeIf this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.
Get practical phishing and browser-safety articles in your inbox. No salesy drip, just new guides and product updates when they are worth sending.