Feed aggregator

A phishing page disguised as a Google Meet update notice is silently handing victims’ Windows computers to an attacker-controlled management server. No password is stolen, no files are downloaded, and there are no obvious red flags.

It just takes a single click on a convincing Google Meet fake update prompt to enroll your Windows PC into an attacker-controlled device management system.

“To keep using Meet, install the latest version”

The social engineering is almost embarrassingly simple: an app update notice in the right brand colors.

The page impersonates Google Meet well enough to pass a casual glance. But neither the Update now button nor the Learn more link below it goes anywhere near Google.

Both trigger a Windows deep link using the ms-device-enrollment: URI scheme. That’s a handler built into Windows so IT administrators can send staff a one-click device enrollment link. The attacker has simply pointed it at their own server instead.

What “enrollment” actually means for your machine

The moment a visitor clicks, Windows bypasses the browser and opens its native Set up a work or school account dialog. That’s the same prompt that appears when a corporate IT team provisions a new laptop.

The URI arrives pre-populated: The username field reads collinsmckleen@sunlife-finance.com (a domain impersonating Sun Life Financial), and the server field already points to the attacker’s endpoint at tnrmuv-api.esper[.]cloud.

The attacker isn’t trying to perfectly impersonate the victim’s identity. The goal is simply to get the user to click through a trusted Windows enrollment workflow, which grants device control regardless of whose name appears in the form. Campaigns like this rarely expect everyone to fall for them. Even if most people stop, a small percentage continuing is enough for the attack to succeed.

A victim who clicks Next and proceeds through the wizard will hand their machine to an MDM (mobile device management) server they have never heard of.

MDM (Mobile Device Management) is the technology companies use to remotely administer employee devices. Once a machine is enrolled, the MDM administrator can silently install or remove software, enforce or change system settings, read the file system, lock the screen, and wipe the device entirely, all without the user’s knowledge.

There is no ongoing malware process to detect, because the operating system itself is doing the work on the attacker’s behalf.

The attacker’s server is hosted on Esper, a legitimate commercial MDM platform used by real enterprises.

Decoding the Base64 string embedded in the server URL reveals two pre-configured Esper objects: a blueprint ID (7efe89a9-cfd8-42c6-a4dc-a63b5d20f813) and a group ID (4c0bb405-62d7-47ce-9426-3c5042c62500). These represent the management profile that will be applied to any enrolled device.

The ms-device-enrollment: handler works exactly as Microsoft designed it, and Esper works exactly as Esper designed it. The attacker has simply pointed both at someone who never consented.

No malware, no credential theft. That’s the problem.

There is no malicious executable here, and no phished Microsoft login.

The ms-device-enrollment: handler is a documented, legitimate Windows feature that the attacker has simply redirected.

Because the enrollment dialog is a real Windows system prompt rather than a spoofed web page, it bypasses browser security warnings and email scanners looking for credential-harvesting pages.

The command infrastructure runs on a reputable SaaS platform, so domain-reputation blocking is unlikely to help.

Most conventional security tools have no category for “legitimate OS feature pointed at hostile infrastructure.”

The broader trend here is one the security industry has been watching with growing concern: attackers abandoning malware payloads in favor of abusing legitimate operating system features and cloud platforms.

What to do if you think you’ve been affected

Because the attack relies on legitimate system features rather than malware, the most important step is checking whether your device was enrolled.

• Check whether your device was enrolled:
  • Open Settings > Accounts > Access work or school.
  • If you see an entry you don’t recognize, especially one referencing sunlife-finance[.]com or esper[.]cloud, click it and select Disconnect.
• If you clicked “Update now” on updatemeetmicro[.]online and completed the enrollment wizard, treat your device as potentially compromised.
• Run an up-to-date, real-time anti-malware solution to check for any secondary payloads the MDM server may have pushed after enrollment.
• If you are an IT administrator, consider whether your organization needs a policy blocking unapproved MDM enrollment. Microsoft Intune and similar tools can restrict which MDM servers Windows devices are allowed to join.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Follow this comprehensive contact center security checklist that encompasses technology safeguards, customer data protection procedures and common business sense.

Article URL: https://bookmadeforyou.com

Comments URL: https://news.ycombinator.com/item?id=47279876

Points: 1

# Comments: 1

Article URL: https://defensescoop.com/2026/03/06/doge-dod-gavin-kliger-new-pentagon-chief-data-officer/

Comments URL: https://news.ycombinator.com/item?id=47279870

Points: 1

# Comments: 0

Article URL: https://plugins.jetbrains.com/plugin/27310-claude-code-beta-

Comments URL: https://news.ycombinator.com/item?id=47279865

Points: 1

# Comments: 0

Article URL: https://www.youtube.com/watch?v=RoGbrgOhPes

Comments URL: https://news.ycombinator.com/item?id=47279854

Points: 1

# Comments: 0

Article URL: https://cdm.link/making-music-on-the-ti-82/

Comments URL: https://news.ycombinator.com/item?id=47279839

Points: 2

# Comments: 0

Article URL: https://quii.dev/The_weight_of_AI_on_engineers

Comments URL: https://news.ycombinator.com/item?id=47279829

Points: 1

# Comments: 0

Hi HN,

I built VaultNote, a local-first note-taking app that runs entirely in the browser.

Key ideas:

- 100% local-first: no backend or server - No login, accounts, or tracking - Notes stored locally in IndexedDB / LocalStorage - AES encryption with a single master password - Tree-structured notes for organizing knowledge

The goal was to create a simple note app where your data never leaves your device. You can open the site, enter a master password, and start writing immediately.

Since everything is stored locally, VaultNote also supports import/export so you can back up your data.

Curious to hear feedback from the HN community, especially on:

- the security approach (local AES encryption) - IndexedDB storage design - local-first UX tradeoffs

Demo: https://vaultnote.saposs.com

Thanks!

Comments URL: https://news.ycombinator.com/item?id=47279803

Points: 1

# Comments: 0

Article URL: https://coloradosun.com/2026/03/06/blm-acquires-escalante-ranch/

Comments URL: https://news.ycombinator.com/item?id=47279799

Points: 1

# Comments: 0

Article URL: https://twitter.com/jamiequint/status/2029705203457609785

Comments URL: https://news.ycombinator.com/item?id=47279796

Points: 1

# Comments: 0

Article URL: https://www.engadget.com/wearables/oura-buys-gesture-navigation-startup-doublepoint-163758659.html

Comments URL: https://news.ycombinator.com/item?id=47279790

Points: 1

# Comments: 0

Article URL: https://developers.openai.com/codex/community/codex-for-oss/

Comments URL: https://news.ycombinator.com/item?id=47279781

Points: 2

# Comments: 0

Article URL: https://arxiv.org/abs/2602.17737

Comments URL: https://news.ycombinator.com/item?id=47279778

Points: 1

# Comments: 0

Article URL: https://openai.com/form/codex-for-oss/

Comments URL: https://news.ycombinator.com/item?id=47279774

Points: 1

# Comments: 0

Article URL: https://lapcatsoftware.com/articles/2026/3/1.html

Comments URL: https://news.ycombinator.com/item?id=47279761

Points: 2

# Comments: 0

Article URL: https://alchemists.io/articles/htmx_infinite_scroll

Comments URL: https://news.ycombinator.com/item?id=47279730

Points: 1

# Comments: 0

I built a Chrome extension that evaluates AI chatbot responses across 5 dimensions: Emotion (tone fit), Fact (verifiability), Narrative (structure), Depth (explains WHY vs just WHAT), and Bias (directional framing).

One click next to any ChatGPT or Gemini response → 2 seconds → full quality profile with a Balance score (STABLE/DRIFTING/DOM).

Some results that surprised me:

- "How are you?" → DRIFTING. High emotion, zero facts, zero depth. - "Why don't antibiotics work on viruses?" → STABLE, Fact=0.95, Depth=0.75 - Persuasive prompts → Bias=+0.72. The model doesn't pretend to be neutral. - Philosophical answers → Fact=0.40 even with citations. Citing Kant doesn't make unfalsifiable claims verifiable.

The Fact axis uses a 3-step calibration: classify the question as falsifiable or not → apply a ceiling → score within it. This transfers across models at r=0.96.

Interesting negative finding: RLHF-trained models compensate for shallow prompts by adding unsolicited explanations. The Depth axis rubric works (5/5 on controlled responses) but in practice models over-explain everything.

Stack: Manifest V3, vanilla JS, Gemini Flash API as judge, Balance computed client-side. Uses your own API key, no data stored.

Research paper with full methodology and 100-prompt validation available on request.

Comments URL: https://news.ycombinator.com/item?id=47279727

Points: 1

# Comments: 1

Article URL: https://educatedguesswork.org/posts/tool-calling/

Comments URL: https://news.ycombinator.com/item?id=47279719

Points: 2

# Comments: 0