A phishing chain built around familiar Windows update tools shows how attackers can turn routine maintenance paths into covert launch points for credential theft.