Malicious MDM device enrollment lure — fake Intune / Jamf / Kandji / AirWatch / MobileIron / Hexnode enrollment email pushes a rootkit-level device-management profile (2024-2026 Lookout / Zimperium / Mandiant / Jamf campaigns)

Email lures the recipient into enrolling their iOS / macOS / Android device in a malicious Mobile Device Management (MDM) system by impersonating a legitimate enrollment flow (Microsoft Intune, Jamf, Kandji, VMware Workspace ONE / AirWatch, MobileIron / Ivanti, Hexnode, ManageEngine MDM, Scalefusion, Miradore, IBM MaaS360, Citrix Endpoint Management, Apple Business Manager, Android Enterprise). Once the user accepts the management profile, the attacker has rootkit-level device control: remote wipe, silent app install, VPN configuration (all traffic through attacker-controlled proxy), TLS-MITM certificate install (decrypt HTTPS traffic), location tracking, microphone and camera access on iOS supervised mode and Android enterprise mode — essentially kernel-level access without needing any exploit. Lookout, Zimperium, Mandiant, and Jamf threat-research teams documented 2024-2025 campaigns targeting corporate BYOD programs. Real MDM enrollment always comes from the organization's IT department with verifiable context (ongoing deployment announcement, helpdesk ticket, manager heads-up) — a cold "enroll your device to continue using corporate email" email from an unknown sender is this attack. Fires when body references MDM / device management / enrollment AND contains a device-scope install / provision / accept / approve action AND sender is not a known MDM vendor. Auto-classified as danger via the `-lure` suffix.