A fake Google Meet button, and your PC no longer belongs to you
Google Meet tells you an update is required to keep using the service. The page is clean, in Google's colors, with a clearly visible "Update now" button. You click. No file downloads.

You are in the middle of a workday. A tab opens in your browser: Google Meet tells you an update is required to keep using the service. The page is clean, in Google's colors, with a clearly visible "Update now" button. You click. No file downloads. No alert from your antivirus. Everything looks normal. Except that your computer just changed owner.
The attack that doesn't look like an attack
This scenario is not theoretical. It matches an attack campaign documented in early March 2026 by researchers at Malwarebytes, and it is remarkable for what it does not use. No malware. No suspicious download. No booby-trapped attachment. The entire attack relies on perfectly legitimate Windows features and on a commercial device management platform.
Here is how it works. The victim lands on a page that mimics Google Meet: the domain used in this campaign was updatemeetmicro[.]online. When you click the update button, no executable is launched. Instead, the click triggers a protocol built into Windows called ms-device-enrollment. This protocol is normally used in corporate environments to enroll a computer in a device management system, what is called an MDM (Mobile Device Management). It is the same mechanism your IT department uses when it configures your company PC remotely.

Windows then opens a system window, not a web page, a real Windows window, offering to set up a work or school account. The form is prefilled with an identifier controlled by the attackers, pointing to an MDM server hosted on Esper, a commercial platform used by real companies. If the user confirms, thinking they are following a legitimate procedure, it is over. Their computer is enrolled in the attackers' management infrastructure.
Total control, without a single virus
And this is where the attack becomes fascinating from a technical standpoint. The ms-device-enrollment protocol works exactly as Microsoft designed it, and the Esper platform works exactly as Esper designed it. The attackers exploited no software flaw. They simply redirected legitimate mechanisms toward someone who never gave their consent. To an antivirus, there is strictly nothing abnormal to detect. The enrollment window is a real Windows window, not a rigged web page. It therefore slips past browser filters, email scanners and most classic detection tools.

Once the device is enrolled in the attackers' MDM system, they have exactly the same level of control as a legitimate IT administrator. They can install or remove software remotely, access the machine's files, change system settings, lock the screen, deploy surveillance tools, or even wipe the computer entirely. All of it without the user receiving the slightest alert.
Living off the land: the attackers' new philosophy
This type of attack illustrates a deep shift in cybersecurity that specialists call "living off the land." Rather than developing sophisticated malware that risks being caught by security solutions, attackers prefer to use the tools already present on the victim's machine. The operating system becomes the weapon. The corporate platform becomes the vector. And the user's trust in the interfaces they recognize becomes the main vulnerability.
It is a complete reversal of the classic attack model. For years, cybersecurity was built around a simple logic: identify and block malicious elements. But when the attack contains no malicious element in the technical sense of the term, when each component taken on its own is legitimate, that logic collapses. It is no longer the code that is malicious. It is the intent. And intent is something no antivirus knows how to detect.
This campaign is not an isolated case either. Since early 2026, several variants have exploited the same principle with imitations of Zoom and Microsoft Teams, using fake Microsoft Store pages or fake video waiting rooms to push victims into installing commercial surveillance agents diverted from their legitimate purpose. The pattern repeats: visual trust, simulated urgency, legitimate tool turned against you.

What it changes for us
This kind of attack forces us to rethink what "being protected" means. Having an up-to-date antivirus is no longer enough when the attack uses no malware. Having a secure browser is no longer enough when the trap runs inside a Windows system window. The last line of defense is human vigilance, and that is precisely what these attacks target.
A few concrete reflexes are worth internalizing. A legitimate Google Meet update never shows up in a random web page: it goes through Google Workspace, the Play Store, the App Store or Google's official site. If a Windows window asks you to set up a "work or school account" without you having requested anything, the right reflex is to click Cancel immediately. And if you are an IT administrator in a company, the question is no longer optional: you have to restrict the authorized MDM servers for enrollment through tools like Microsoft Intune.
But beyond these reflexes, it is our relationship to digital trust that needs questioning. We have been taught to be wary of dubious attachments and suspicious websites. But we have not been taught to be wary of a Windows window that looks like a perfectly normal corporate procedure. The attackers, for their part, have understood this very well.
When protection tools go blind because the attack uses only legitimate components, when the most trusted interface in your operating system becomes the point of entry, one question forces itself upon us: at what point do we stop trusting what we see on our screens?
Questions fréquentes
Why doesn't my antivirus detect this attack?
Because it carries no malicious element: it reuses a legitimate Windows protocol (ms-device-enrollment) and a commercial MDM platform (Esper). Each component taken on its own is normal, so there is nothing abnormal to flag.
What actually happens if I confirm the Windows window?
Your computer is enrolled in the attackers' device management system. They then have the same level of control as an IT administrator: installing or removing software, accessing files, surveilling, locking the screen or wiping the machine, without any alert.
How do I recognize a genuine Google Meet update?
A legitimate update never shows up in a random web page. It goes through Google Workspace, the Play Store, the App Store or Google's official site.
What is the right reflex when faced with an unsolicited Windows "work or school account" window?
Click Cancel immediately. If you manage a fleet, also restrict the authorized MDM servers for enrollment through tools like Microsoft Intune.
What is "living off the land"?
An approach where attackers write no malware but divert the tools already present on the machine and the legitimate corporate platforms. The operating system becomes the weapon, and the user's trust becomes the main vulnerability.
Sources & méthodologie
- Malwarebytes, research documenting the campaign (early March 2026)

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
