Cybercriminals Exploit Microsoft Phone Link to Steal SMS-Based OTPs Without Malware on Mobile Devices
A sophisticated cyberattack campaign, active since at least January 2026, has uncovered a novel method to intercept SMS-based one-time passwords (OTPs) by targeting Windows PCs synced with mobile devices without deploying malware on the phones themselves. Researchers identified the attack leveraging a remote access trojan (RAT) called CloudZ, paired with a previously unknown plugin dubbed Pheno, to harvest credentials and authentication codes.
The attack exploits Microsoft Phone Link (formerly "Your Phone"), a built-in Windows 10 and 11 application that mirrors calls, messages, and app notifications from Android or iOS devices to a desktop. Pheno scans for active phone connections by detecting processes like PhoneExperienceHost or Link to Windows, then accesses the app’s local SQLite database where SMS messages and OTPs are stored bypassing mobile security controls entirely.
Unlike traditional attacks, this method avoids direct compromise of the mobile device, instead targeting the enterprise-managed Windows endpoint the phone trusts. The campaign highlights a critical gap in security strategies that prioritize smartphone protection over the desktop environments they sync with.
CloudZ, a modular .NET RAT compiled on January 13 and obfuscated with ConfuserEx, extends beyond Pheno’s OTP theft. It supports credential harvesting from browsers, file operations, remote command execution, and host profiling. The malware establishes an encrypted TCP connection to its command-and-control (C2) server, using rotating user-agent strings to blend with legitimate traffic. To evade detection, CloudZ dynamically generates executable functions in memory, avoiding static binary storage on disk, and checks for analysis tools like Wireshark, Fiddler, and Sysmon before execution.
The infection chain begins with a fake ScreenConnect update, a legitimate remote support tool widely used in enterprises. The malicious update deploys a Rust-compiled loader, which installs a .NET loader to deliver CloudZ and establish persistence via a scheduled task. Despite thorough analysis by Cisco Talos researchers, the threat actor behind the campaign remains unidentified, and the initial access vector is still unclear.
Source: https://thecyberexpress.com/new-infostealer-pheno-steals-mfa-otps/
ConnectWise cybersecurity rating report: https://www.rankiteo.com/company/connectwise
"id": "CON1778005541",
"linkid": "connectwise",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'Exploitation of Microsoft Phone Link via remote access '
'trojan (RAT)',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['SMS-based OTPs',
'Credentials',
'Authentication codes']},
'description': 'A sophisticated cyberattack campaign, active since at least '
'January 2026, has uncovered a novel method to intercept '
'SMS-based one-time passwords (OTPs) by targeting Windows PCs '
'synced with mobile devices without deploying malware on the '
'phones themselves. The attack leverages a remote access '
'trojan (RAT) called CloudZ, paired with a previously unknown '
'plugin dubbed Pheno, to harvest credentials and '
'authentication codes. The attack exploits Microsoft Phone '
'Link to access SMS messages and OTPs stored in the app’s '
'local SQLite database, bypassing mobile security controls '
'entirely.',
'impact': {'data_compromised': 'SMS-based OTPs, credentials, authentication '
'codes',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access to sensitive '
'accounts and systems',
'payment_information_risk': 'High',
'systems_affected': ['Windows PCs synced with mobile devices',
'Enterprise-managed Windows endpoints']},
'initial_access_broker': {'entry_point': 'Fake ScreenConnect update'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Critical gap in security strategies that prioritize '
'smartphone protection over the desktop environments they '
'sync with. Need for enhanced monitoring of '
'enterprise-managed Windows endpoints.',
'motivation': 'Credential harvesting, OTP interception, data exfiltration',
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring of '
'Windows endpoints for RAT '
'activity',
'Restrict or secure '
'Microsoft Phone Link usage '
'in enterprise environments',
'Implement non-SMS-based '
'MFA solutions'],
'root_causes': ['Exploitation of Microsoft Phone '
'Link SQLite database access',
'Lack of monitoring for '
'enterprise-managed Windows '
'endpoints synced with mobile '
'devices',
'Use of fake ScreenConnect updates '
'for initial access']},
'recommendations': ['Monitor and secure Microsoft Phone Link usage in '
'enterprise environments',
'Enhance detection of RATs like CloudZ and plugins like '
'Pheno',
'Implement stricter controls on remote support tools like '
'ScreenConnect',
'Adopt multi-factor authentication methods not reliant on '
'SMS-based OTPs'],
'references': [{'source': 'Cisco Talos'}],
'response': {'third_party_assistance': 'Cisco Talos researchers'},
'title': 'Cybercriminals Exploit Microsoft Phone Link to Steal SMS-Based OTPs '
'Without Malware on Mobile Devices',
'type': 'Cyberattack',
'vulnerability_exploited': "Microsoft Phone Link (formerly 'Your Phone') "
'SQLite database access'}