Stealthy Malware Abuses Microsoft Phone Link to Siphon SMS OTPs From Enterprise PCs

Microsoft’s Phone Link feature, built into Windows 10 and 11, has become a convenient bridge that mirrors texts, notifications, and calls from a user’s smartphone to the desktop. While it streamlines productivity for millions of users, the feature also stores a local copy of synced data in a SQLite database, creating an unintended attack surface. As enterprises increasingly enforce mobile‑first security policies, the reliance on Phone Link for OTP delivery inadvertently shifts the risk to the corporate endpoint, where traditional mobile device management tools have limited visibility.

The newly identified CloudZ remote‑access trojan, paired with the Pheno plugin, exploits this gap by continuously scanning for active Phone Link processes and reading the stored SMS and authenticator messages. The campaign initiates with a malicious payload disguised as a ScreenConnect update, drops a Rust‑compiled loader, and then establishes persistence through a scheduled task named “SystemWindowsApis” that runs regasm.exe with elevated rights. Before executing the main payload, the .NET loader performs sophisticated anti‑analysis checks—detecting debuggers, sandbox tools, and timing anomalies—to evade detection. Once in memory, CloudZ decrypts and activates, establishing encrypted C2 communications while harvesting credentials and OTPs.

For security teams, the emergence of PC‑to‑phone credential theft underscores the need to broaden MFA threat modeling beyond the mobile device. Defenders should monitor for unusual Phone Link activity, enforce strict application whitelisting, and apply the IoCs released by Talos, including hashes and Snort rules. Additionally, isolating Phone Link traffic, employing endpoint detection and response (EDR) solutions that can flag the “SystemWindowsApis” task, and considering alternative MFA methods such as hardware tokens or push‑based authenticators can mitigate the risk of OTP interception at the endpoint.