Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs

A novel malware campaign has been identified exploiting Microsoft’s Phone Link capability to exfiltrate SMS-based one-time passwords (OTPs) and other sensitive mobile data directly from corporate Windows workstations. Cisco Talos researchers first detected this activity in January 2026, detailing a sophisticated attack involving a remote access trojan named CloudZ and a specialized plugin dubbed Pheno. This combination enables adversaries to harvest various credentials and, crucially, capture authentication codes synchronized from a user’s smartphone, effectively bypassing multi-factor authentication measures reliant on SMS. The custom Pheno plugin specifically targets and manipulates the Phone Link application's communication channels, facilitating the stealthy interception of sensitive data without direct interaction with the mobile device itself. This method represents a significant evolution in credential theft tactics, leveraging trusted operating system features for surreptitious data exfiltration from enterprise environments, as observed by Talos in their detailed analysis¹. This state-aligned activity, targeting a ubiquitous Microsoft feature, fundamentally shifts the threat model from common criminal opportunism to geopolitical objectives, necessitating a re-evaluation of defensive strategies for critical infrastructure and government agencies.