A convincing fake Google Meet update page uses Windows’ ms-device-enrollment deep link to silently enroll victims’ PCs into an attacker-controlled MDM server hosted on Esper. The attack leverages legitimate OS and SaaS features—no malware or credential theft—so it bypasses browser and email protections and grants remote management capabilities. #GoogleMeet #ms_device_enrollment #Esper #SunLife_Financial
Keypoints
- A fake Google Meet update page triggers the ms-device-enrollment: URI and opens Windows’ native enrollment dialog.
- Clicking the prompt can enroll the PC to an attacker-controlled Esper MDM server (tnrmuv-api.esper[.]cloud) using preconfigured blueprint and group IDs.
- An enrolled MDM administrator can silently install or remove software, change settings, read files, lock screens, and wipe the device.
- There is no malicious executable or stolen credentials—legitimate Windows and Esper features are abused, so usual defenses and reputation-based blocks may miss it.
- If affected, check Settings > Accounts > Access work or school for unknown entries and disconnect them, run up-to-date anti-malware scans, and consider policies to block unapproved MDM enrollments via Intune.