Threat actors have been observed abusing trusted collaboration tools to gain access to victims’ machines, and new research shows Google Meet as the latest brand being impersonated in malware campaigns.
Security firm Sublime disclosed the activity in a blog post published last week, outlining a campaign targeting Google Workspace users using fraudulent Google Meet invitations. The emails were sent from domains registered fewer than 20 days earlier, a common red flag in phishing and malware operations.
In the observed attack chain, recipients clicking on a fake “Join with Google Meet” link were redirected to a spoofed website designed to look like a real meeting page. The domain contained subtle misspellings and character substitutions, intended to evade detection tools while appearing authentic to users.
The landing page displayed a fake “Joining…” screen, followed by an “Update Required” prompt. Victims were then routed to a counterfeit Microsoft Store page hosting a malicious Google Meet installer file.
When executed, the MSI package installed Teramind, a legitimate employee monitoring and remote access tool, but configured to allow attackers to take control of the compromised endpoint.
The installer also triggered an automated notification via Telegram, sending system data including Operating System (OS), IP address, browser type, geolocation, device type, and internet service provider details.
Sublime identified several detection signals associated with the campaign. These included the lookalike domain, the recently registered sender infrastructure, and a failed DomainKeys Identified Mail (DKIM) authentication check. Researchers also noted the absence of standard Google branding elements in the email’s HTML formatting.
“Attacks featuring fake meeting invites are increasing in popularity,” Sublime researchers wrote, adding that even relatively simple impersonation tactics can succeed against fast-moving users.
Strengthening email authentication enforcement, monitoring newly registered domains, and spotting unauthorized instances of remote monitoring tool installations are critical controls to contain the impact of such malicious campaigns.
