Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs
A newly identified malware campaign is abusing Microsoft’s Phone Link feature to intercept SMS-based one-time passwords and other sensitive mobile data directly from Windows systems. The activity, first observed by Cisco Talos in January 2026, involves a remote access trojan dubbed CloudZ and a custom plugin named Pheno that together allow attackers to harvest credentials and potentially capture authentication codes synced from a user’s smartphone, Talos researchers Alex Karkins and Chetan Raghuprasad wrote in a blog post. “According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time passwords (OTPs),” the researchers wrote. The attack does not target the mobile device itself. Instead, it exploits the trust relationship between phones and Windows PCs by monitoring data mirrored through the Phone Link application, the blog post said. CloudZ “utilizes the custom Pheno plugin to hijack the establ