Hackers have targeted Windows users through Microsoft Phone Link, a tool that connects PCs to Android smartphones. Attackers deploy CloudZ RAT malware along with a new Pheno plug-in to access text messages and one-time passwords (OTPs). These actions allow bypassing two-factor authentication (2FA) in stealthy operations detected recently. Enterprises face the highest risks as attackers siphon sensitive SMS data from connected devices.
What Happened
Security researchers identified the attacks in early May 2026. Hackers trick users into installing CloudZ RAT via phishing emails or malicious downloads. Once active on Windows PCs, the malware targets Phone Link, the official Microsoft app that mirrors smartphone notifications on computers.
The fresh Pheno plug-in extends the RAT’s reach. It hijacks the bridge between the PC and phone, capturing incoming SMS without visible signs. Attackers gain real-time access to OTPs sent for bank logins, email accounts, and other services. The method evades traditional antivirus tools due to its reliance on legitimate Microsoft software.
Scope of Impact
SMS messages form the primary data stolen, including 2FA codes that protect online accounts. No exact user numbers emerged, but enterprise environments with Phone Link enabled suffer most. The attacks compromise any service relying on SMS-based verification, such as financial apps and corporate email systems.
Phone Link’s design, which syncs texts for convenience, creates the vulnerability. Attackers need only initial malware access to exploit the connection. Broader risks include session hijacking and unauthorized transactions once 2FA codes reach the hackers.
Company Response
Microsoft acknowledged the issue on May 6, 2026. The company issued a security advisory warning users about malware abusing Phone Link. It recommended immediate scans with updated Windows Defender definitions.
“We are actively monitoring this threat and have deployed detection signatures for CloudZ RAT and Pheno,” Microsoft stated in the advisory. No patches alter Phone Link directly, as the flaw stems from malware infection rather than app code. Microsoft urged disabling Phone Link features if unused.
What Users Should Do
Users must act quickly to secure devices and accounts:
- Run full antivirus scans on Windows PCs using Microsoft Defender or third-party tools.
- Disable Phone Link in Windows settings and uninstall if not essential.
- Change passwords for all accounts protected by SMS 2FA.
- Switch to app-based 2FA like Google Authenticator or hardware keys.
- Monitor bank and email accounts for suspicious activity.
- Avoid clicking links in unsolicited emails to prevent initial infection.
Background
CloudZ RAT appeared in prior campaigns targeting enterprises. This marks its first known use against Phone Link. Similar attacks have abused legitimate apps like this one, as detailed in a recent report on stealthy malware abusing Microsoft Phone Link.
Social engineering plays a key role, often starting with deceptive emails. For more on these tactics, see NetworkUstad’s guide on social engineering in cybersecurity. Phone Link launched in 2021 as a successor to Your Phone app, gaining popularity for cross-device messaging. No prior major breaches linked to it occurred until now.
