Imagine receiving a text message with a one-time code to log into your bank account. You enter it, and you feel safe. But what if an attacker already saw that code before you did? That is exactly what is happening in a new wave of cyberattacks. Security researchers have uncovered a campaign that exploits a built-in Windows tool called Phone Link. Attackers use this phone link attack 2fa technique to intercept SMS messages and one-time passwords without ever touching your phone. The attack turns a legitimate syncing feature into a backdoor for credential theft.
How the Phone Link Attack Works
The attack begins with an initial compromise of a Windows PC. According to researchers at Cisco Talos, the intrusion started in January 2025. The exact method used to gain access is still unknown, but once inside, the attackers deploy a fake ScreenConnect update. This update installs an intermediate.NET loader, which then drops the CloudZ remote access Trojan (RAT) onto the machine.
CloudZ is a modular RAT with many capabilities. It can steal browser credentials, execute shell commands, record the screen, and deploy plugins. One of those plugins is a new piece of malware called Pheno. Pheno is designed specifically to scan for active Microsoft Phone Link processes. It checks for processes like YourPhone and PhoneExperienceHost. If it finds an active relay between the PC and a smartphone, it flags the system as “Maybe connected.”
Once Pheno confirms that Phone Link is syncing data, CloudZ can access the Phone Link application’s SQLite database file on the victim’s machine. This database stores SMS messages and notifications, including two-factor authentication codes. The attacker can then read these codes and use them to bypass 2FA protections. All of this happens without any malware ever being installed on the phone itself.
Why This Attack Is Different
Most attacks that target mobile devices require the attacker to infect the phone with malware or trick the user into installing a malicious app. This campaign takes a different route. It exploits the trust relationship between a Windows PC and a paired smartphone. Phone Link is preinstalled on Windows 10 and 11. It syncs text messages, notifications, and calls between devices. Many users rely on it for convenience, but that convenience creates a security gap.
Cisco Talos researcher Chetan Raghuprasad noted that this connection is rarely leveraged in attacks. By abusing a legitimate Windows feature, the attackers gain a 2FA bypass capability. They eliminate an identity authentication step that many people believe keeps their accounts secure. This attack shows that even strong 2FA methods can be undermined if the underlying infrastructure is compromised.
The Role of CloudZ RAT and Pheno Plugin
CloudZ is not a new malware family, but its use in this campaign highlights its flexibility. Once installed, it decrypts its configuration data and establishes an encrypted socket connection to a command-and-control (C2) server. It then enters command dispatcher mode, waiting for instructions. The C2 server can order CloudZ to steal browser credentials, record the screen, or download and execute additional plugins.
Pheno is the new plugin that makes this attack possible. It performs reconnaissance of the Phone Link application on the victim machine. It writes the reconnaissance data to an output file in a staging folder. CloudZ then reads that file and sends it to the C2 server. The researchers observed that Pastebin staging URLs remain active, though no evidence of successful exfiltration has been seen yet.
The combination of CloudZ and Pheno creates a powerful tool for attackers. They can silently intercept SMS messages and 2FA notifications without the user suspecting anything. The attack is particularly dangerous because it works even if the user has not clicked any malicious link on their phone.
How Attackers Bypass Two-Factor Authentication
Two-factor authentication is supposed to add an extra layer of security. Even if your password is stolen, the attacker needs the second factor — often a code sent via SMS or generated by an authenticator app. In this phone link attack 2fa scenario, the attacker intercepts those codes directly from the PC. Since Phone Link syncs SMS messages and app notifications to the Windows machine, any code that appears on your phone also appears on your PC. The malware simply reads the SQLite database where Phone Link stores that data.
This bypass works for SMS-based OTPs and also for notification messages from authenticator apps that send push notifications. The attacker does not need to compromise the phone’s operating system. They only need access to the paired Windows machine. For many users, this means that their 2FA protection is only as strong as their PC’s security.
The attack highlights a fundamental weakness in cross-device syncing. Features designed for convenience can become attack vectors. Security experts have long warned that SMS-based 2FA is vulnerable to SIM swapping and phishing. Now we see a new vector: abusing the bridge between a phone and a computer.
What This Means for Your Security
This attack does not mean you should abandon 2FA. It means you need to be more thoughtful about how you implement it. SMS-based codes are the least secure form of 2FA. App-based authenticators like Google Authenticator or Authy are better, but they can still be intercepted if push notifications are synced to a compromised PC. Hardware tokens like YubiKeys offer the strongest protection because they require physical presence.
The attack also underscores the importance of securing your Windows PC. If an attacker gains access to your computer, they can potentially access everything your phone shares with it. Phone Link is just one example. Similar risks exist with other cross-device syncing tools like iCloud for Windows or Google’s Messages for Web.
Organizations should take note. Many companies rely on SMS-based OTPs for employee authentication. This attack shows that a compromised endpoint can defeat that security measure. Moving to phishing-resistant MFA methods, such as FIDO2 security keys, is a wise investment.
You may also enjoy reading: 7 Ways to Secure Torrent Upload via OAuth2 Authentication.
Practical Steps to Protect Yourself
You do not need to stop using Phone Link, but you should take precautions. Here are actionable steps to reduce your risk.
Disable Phone Link If You Do Not Need It
If you rarely use the syncing feature, unlink your phone from Windows. Go to Settings > Bluetooth & devices > Phone Link and remove the paired device. This eliminates the attack surface entirely.
Use App-Based Authenticators Without Push Sync
Switch from SMS-based 2FA to an authenticator app like Microsoft Authenticator or Google Authenticator. Disable notification syncing for that app on your PC. Some authenticator apps allow you to approve logins by tapping a notification on your phone. If that notification syncs to your PC, it can be intercepted. Use time-based one-time passwords (TOTP) instead, which require you to open the app on your phone and read a code.
Consider Hardware Security Keys
For critical accounts like email, banking, and work systems, use a hardware security key that supports FIDO2 or WebAuthn. These keys require you to physically press a button on the device, making remote interception impossible.
Monitor for Unusual Activity
Check your Windows PC for unfamiliar processes. Look for processes named YourPhone or PhoneExperienceHost running unexpectedly. Use an endpoint detection and response (EDR) tool if available. Keep an eye on any unusual network connections from your PC.
Keep Software Updated
Microsoft may issue patches to harden Phone Link against this type of abuse. Ensure your Windows system and all apps are up to date. Enable automatic updates to reduce the window of vulnerability.
Use Strong Endpoint Protection
Install reputable antivirus or EDR software that can detect CloudZ RAT and similar threats. Behavioral detection can spot unusual activity like a process accessing the Phone Link database.
The Bigger Picture: Cross-Device Sync Risks
This attack is not isolated to Microsoft Phone Link. Any feature that syncs data between devices can be abused. Apple’s continuity features, Google’s Messages for Web, and third-party apps like Pushbullet all create similar trust relationships. The principle is the same: if an attacker compromises one device, they can access data synced from another.
As more people use multiple devices, the attack surface grows. The convenience of seamless syncing comes with a trade-off. Security professionals have long warned about the risks of cross-device trust. This campaign is a concrete example of those risks becoming reality.
Microsoft has not yet commented on the attack. It is possible that future updates will add additional authentication steps for Phone Link access or encrypt the SQLite database more thoroughly. Until then, users must take responsibility for securing their own devices.
