Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA

CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY MOBILE SECURITY REMOTE WORKFORCE NEWS Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA In hard-to-detect attacks, hackers are dropping the CloudZ RAT and a fresh plug-in, Pheno, to hijack the Windows-based bridge between PCs and smartphones. Elizabeth Montalbano,Contributing Writer May 6, 2026 5 Min Read SOURCE: MOHD IZZUAN ROSIAN VIA ALAMY STOCK PHOTO Attackers are abusing a Microsoft Windows tool with an intent to spy on and steal SMS messages and one-time-passwords (OTPs) from mobile devices. In an ongoing threat campaign that started in January, they first compromise PCs, and then use malware to abuse a link to the devices to intercept and steal data, researchers have discovered. According to researchers from Cisco Talos, the attack shows a unique attack flow with the actors abusing a Microsoft Phone Link on a Windows PC to exploit the trust relationship the tool creates with smartphones. In a report published this week. Phone Link, which is preinstalled on Windows 10 and 11 and was previously called "Your Phone," is a built-in Windows app that syncs text messages, notifications, and calls between mobile devices and PCs. "We found this attack slightly distinct, as the attacker is attempting to steal the sensitive information from mobile phones that are already paired with the Windows PC without deploying mobile malware," Cisco Talos researcher Chetan Raghuprasad tells Dark Reading. "We don't commonly see this connection leveraged in attacks." Related:Instructure Breach Exposes Schools' Vendor Dependence Attackers use a combination of the modular CloudZ remote access Trojan (RAT) and a new plug-in, Pheno, to hijack the bridge between Phone Link and devices. Pheno continuously scans for active Phone Link processes and can potentially intercept sensitive mobile data like SMS messages and two-factor authentication (2FA), all without actually deploying malware on the phone, according to the researchers. "With confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application's SQLite database file … on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages," Raghuprasad and Cisco Talos's Alex Karkins wrote in the report. Phone Link's Cross-Device Sync Abused The findings demonstrate how cross-device syncing can create an unexpected path to credential theft without attackers ever manipulating the mobile device itself, Cisco Talos tells Dark Reading. By abusing a legitimate Windows functionality, attackers could gain a 2FA bypass capability — effectively eliminating an identity authentication step many users think keeps their devices secure. Microsoft did not immediately reply to Dark Reading's request for comment Wednesday on the attack. Cisco Talos learned from telemetry data that an intrusion they observed began with unknown initial access vector to the victim's environment, leading to the execution of a fake ScreenConnect app-update executable. This in turn executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ RAT on the victim’s machine.  Related:Middle East Cyber Battle Field Broadens — Especially in UAE CloudZ includes capabilities for browser credential theft, shell command execution, screen recording, plug-in deployment, and file management. Upon execution, it decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode.  "CloudZ facilitates the command-and-control (C2) commands to exfiltrate credentials from the victim machine browser data, and it downloads and implants a plug-in, which performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder," the researchers wrote. "CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server." The plug-in dropped by CloudZ in the attack is Pheno, malware that the researchers said they hadn't seen before. "Pheno is designed to detect if a user is currently syncing their mobile device to a Windows machine through the Phone Link application," according to the post.  Related:Trellix Source Code Breach Highlights Growing Supply Chain Threats The plug-in does this by focusing specifically on reconnaissance of Phone Link processes such as "YourPhone" and "PhoneExperienceHost." If an active relay session is detected, the malware flags the system as "Maybe connected," indicating the attackers may be able to monitor SMS traffic and OTP delivery. Mitigating & Avoiding 2FA Bypass Attacks So far the researchers have not seen evidence that the attack vector has successfully exfiltrated data, Raghuprasad says. "Still, the staging URLs of Pastebin are active, indicating high likelihood that the attacks are ongoing," he notes. The attack is yet more evidence that 2FA is not a foolproof way to protect people's personal and business accounts from being compromised, especially when device users in this case may be completely unaware that anything suspicious is happening. In fact, recent research from Proofpoint recently found that attackers are finding myriad ways around multifactor authentication (MFA), particularly via phishing kits, and its activation doesn't ensure that an account won't be compromised.  In the case of the Phone Link attack, to protect users against 2FA compromise, defenders can use methods of secondary authentication that don't rely on OTPs or SMS-based methods to eliminate the risk. Organizations using Windows PCs that have Phone Link pre-installed should determine if the app is really necessary for use by their employees and, if not, disable it to protect themselves from the attack, the researchers said. To understand if they've been targeted, organizations can update their behavioral detection engines to look for the execution of regasm.exe with unusual arguments and unauthorized schedule tasks, and also block the C2 server IP addresses associated with the attack — info that Cisco Talos has provided in the post, Raghuprasad says. Cisco Talos also posted indicators of compromise (IoCs) on a GitHub page and in the report, provided specific ClamAV signature and Snort Rules (SIDs) for detecting and blocking the threat. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS