CloudZ RAT Abuses Microsoft Phone Link to Steal OTPs — What Enterprise Security Teams Must Do Now

Photo by Glen Carrie on Unsplash

Key Takeaways

• The CloudZ RAT, active since at least January 2026, uses a plugin called Pheno to steal OTPs and SMS messages directly from Microsoft Phone Link's local database on Windows — no access to your phone required.
• Discovered by Cisco Talos, the campaign operated undetected for approximately four months before public disclosure on May 5, 2026, exposing critical gaps in endpoint detection.
• Microsoft Phone Link comes pre-installed on Windows 10 and Windows 11, giving this attack vector a potentially massive built-in attack surface across hundreds of millions of enterprise endpoints worldwide.
• Even app-based authenticator notification messages synced via Phone Link are at risk if the Windows endpoint is compromised — making hardware-based MFA a priority upgrade for any organization.

What Happened

In May 2026, Cisco Talos disclosed a sophisticated intrusion campaign built around a previously undocumented malware family called CloudZ. The threat actor behind it found a clever way to steal one-time passwords (OTPs) — those six-digit codes your bank or email provider sends to verify your identity — without ever touching a victim's smartphone.

The infection begins with a fake software update: victims receive what appears to be a legitimate ScreenConnect (a widely used remote IT support tool) application update. Running it executes a hidden .NET loader — a small program whose sole job is to install the real threat, the CloudZ remote access trojan (RAT). A RAT is malware that gives attackers silent, persistent control of your computer.

CloudZ then deploys a specialized companion plugin called Pheno. This plugin has one mission: find and raid Microsoft Phone Link's local data. Phone Link is a built-in Windows 10 and 11 application that syncs your Android phone's messages, calls, and notifications directly to your PC. Pheno scans running system processes for identifiers like "YourPhone," "PhoneExperienceHost," or "Link to Windows" to confirm an active Phone Link session. Once confirmed, it targets Phone Link's local SQLite database — a file stored on the Windows machine containing synchronized SMS messages, call logs, OTPs, and authenticator app notifications — without ever accessing or touching the victim's actual mobile device.

CloudZ itself is a .NET executable compiled on January 13, 2026, and deliberately scrambled (obfuscated) using a tool called ConfuserEx to evade antivirus detection. It actively checks for debuggers and sandbox environments (controlled test environments used by security analysts to study malware) before executing its most dangerous functions. The campaign was active for at least four months before Cisco Talos publicly disclosed it on May 5, 2026.

Photo by Growtika on Unsplash

Why It Matters for Your Organization's Security

The implications of this campaign reach far beyond a single confirmed intrusion. Following cybersecurity best practices around software inventory and endpoint configuration is essential, yet Phone Link's status as a default Windows feature means many organizations have never evaluated it as a risk.

The attack surface is enormous. Microsoft Phone Link comes pre-installed on Windows 10 and Windows 11, meaning the feature may already be active — and paired to an employee's personal phone — across hundreds of millions of enterprise endpoints globally, often without IT teams knowing. This is not a fringe vulnerability affecting obscure software. It ships with Windows.

This bypasses your mobile security entirely. Most MFA (multi-factor authentication) security models are built on the assumption that the mobile device is the hardest thing for an attacker to compromise. Enterprise mobile device management (MDM) solutions, mobile threat defense tools, and strict BYOD (bring-your-own-device) policies all rest on that assumption. As security analysts noted after reviewing this campaign, the technique "shifts risk from mobile devices to enterprise-managed Windows systems, potentially bypassing controls focused on securing smartphones." Your mobile security investments offer no protection here. The phone is never touched. The theft happens entirely on the Windows endpoint.

Authenticator apps are not automatically safe either. Many organizations have already migrated away from SMS codes toward authenticator apps — good practice. But this campaign reveals a critical wrinkle: if an employee has Phone Link active and their authenticator app sends push notifications that sync to Windows, those notifications can appear in Phone Link's SQLite database. Cisco Talos researchers confirmed that the attacker "can potentially intercept the Phone Link application's SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages." Effective data protection now requires securing the endpoint layer, not only the mobile layer.

The detection gap is alarming. DFIR Radar summarized the campaign as "targeting credential theft without mobile device compromise" — a scenario most organizations' incident response playbooks and detection tooling are simply not built to catch. CloudZ evades detection by executing its most dangerous functions dynamically in system memory (never writing suspicious code to disk in a detectable form) and actively checking for analysis environments before proceeding. Operating from at least January 2026 through public disclosure in May 2026 — roughly four months — without triggering standard enterprise alarms is a clear signal that conventional defenses are lagging.

The regulatory pressure is accelerating. SMS-based OTP authentication is already under fire globally, with multiple countries moving toward banning it as a primary authentication factor in 2026. CloudZ and Pheno add operational proof to what regulators have argued: SMS OTPs are insufficient, and even synced authenticator notifications carry risk on compromised endpoints. Building security awareness around this shift is now an operational necessity, not a future project.

The AI Angle

CloudZ's four-month detection gap illustrates precisely where traditional signature-based antivirus tools (systems that recognize known malware by a fixed "fingerprint") fall short. CloudZ was purpose-built to avoid those fingerprints — freshly compiled, obfuscated, executing in memory, and sandbox-aware.

This is the gap that AI-powered threat intelligence and behavioral detection platforms are designed to close. Solutions like CrowdStrike Falcon and SentinelOne use machine learning to establish baselines of normal process behavior on endpoints. When a process like PhoneExperienceHost.exe suddenly begins reading unexpected SQLite database files or communicating with unknown external servers, behavioral AI flags the anomaly — even with zero prior knowledge of CloudZ's signature.

Integrating curated threat intelligence feeds enriched with indicators of compromise (IOCs) — specific technical markers like file hashes, network addresses, and process behaviors tied to campaigns like CloudZ — gives security teams early warning when new patterns emerge. Platforms like Recorded Future and Mandiant Advantage aggregate this threat intelligence at scale. AI-powered security awareness training platforms can also simulate the fake software update delivery method CloudZ used, helping employees recognize and report suspicious prompts before infection reaches the endpoint. Together, these AI-driven layers represent modern cybersecurity best practices that go well beyond signature detection.

What Should You Do? 3 Action Steps

1. Audit and Restrict Microsoft Phone Link Across Your Endpoints

Immediately survey which Windows machines in your organization have Phone Link active and paired to an employee's personal device. For most enterprise environments, Phone Link should be disabled via Group Policy (a Windows administration tool that enforces configuration settings across many computers simultaneously) unless there is a specific, documented business requirement. Set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\YourPhone — DisableYourPhone = 1 — or push this setting through your endpoint management platform. This directly removes the attack surface Pheno exploits and is one of the fastest, most concrete steps you can take this week. Document this policy as part of your standing endpoint hardening standards.

2. Upgrade MFA to Hardware Keys or Passkeys — Starting with High-Risk Accounts

Both SMS OTPs and synced authenticator push notifications are now demonstrably at risk when a Windows endpoint is compromised. Begin migrating high-value accounts — executives, IT administrators, finance staff, and anyone with access to sensitive systems — to FIDO2 hardware security keys (physical USB or NFC devices such as YubiKey) or passkeys (a newer authentication standard built into modern operating systems and browsers that uses device-bound cryptography). These methods are phishing-resistant and do not sync to any PC application, entirely eliminating the Phone Link attack vector. This is also a critical data protection measure aligned with tightening global regulatory requirements around strong authentication. Both Google Workspace and Microsoft 365 support hardware key enrollment for under $50 per user.

3. Deploy or Retune Your EDR for Memory Scanning and Behavioral File Access Alerts

Signature-based antivirus will not catch CloudZ. Your incident response capability depends on having an endpoint detection and response (EDR) solution — software that continuously monitors what programs are actually doing on a machine, not just what they look like — with active memory scanning enabled. Review your EDR configuration to alert on unexpected file access to Phone Link's local SQLite store at %LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Unistore\data\. Flag any process other than Phone Link's own executables reading files in that directory as a high-priority alert. If you are still relying on legacy antivirus alone, this campaign is a direct signal that modern threat intelligence-driven attacks require a modern detection stack.

Frequently Asked Questions

How can I protect my business from OTP theft through Microsoft Phone Link on company Windows computers?

The most direct step is disabling Microsoft Phone Link organization-wide using Group Policy or your endpoint management platform, removing the attack surface entirely. Alongside that, migrate sensitive accounts away from SMS OTPs and synced authenticator push notifications toward hardware security keys (FIDO2) or passkeys, which cannot be intercepted through any PC sync application. Ensure your EDR solution monitors file access activity for Phone Link's local SQLite database files and configure high-priority alerts for unexpected reads. Finally, run security awareness training so employees can recognize fake software update prompts — the exact delivery method used by the CloudZ campaign — before clicking.

What exactly is the CloudZ RAT and how does it steal two-factor authentication codes without ever accessing my phone?

CloudZ is a remote access trojan (RAT) — malware that silently gives an attacker ongoing remote control of a Windows computer. It was compiled on January 13, 2026, and obfuscated using ConfuserEx to evade detection. Its companion plugin, Pheno, targets Microsoft Phone Link's local SQLite database on the compromised PC. Because Phone Link syncs your phone's SMS messages, OTPs, and authenticator app notifications to your Windows machine, CloudZ can steal those codes directly from local PC storage — without needing to access, touch, or even know the location of your physical smartphone. Cisco Talos discovered this campaign and disclosed it on May 5, 2026, after the threat actor operated undetected for approximately four months.

Should I disable Microsoft Phone Link on all company computers to prevent this kind of Windows malware attack?

For most organizations, yes — disabling Phone Link on enterprise endpoints is the recommended precautionary action. Phone Link is a productivity convenience, rarely a core business requirement, and it creates a local database of SMS messages, OTPs, and authenticator notifications accessible to any sufficiently privileged process on the machine. That represents a significant and unnecessary data protection exposure. Use the DisableYourPhone Group Policy registry key or your endpoint management platform to disable it organization-wide, and record this as a formal item in your incident response and endpoint hardening documentation. If specific business teams genuinely require Phone Link functionality, evaluate isolating those devices in a higher-scrutiny network segment with enhanced EDR monitoring.

How do attackers use malware to bypass multi-factor authentication on Windows without ever compromising the mobile device?

Attackers exploit the PC-to-phone sync layer — features like Microsoft Phone Link — that automatically copy mobile data into a local database on the Windows computer. Rather than attempting to hack your phone (which is well-defended and difficult), they compromise the Windows endpoint through phishing or a fake software update, then simply read the local sync database where your phone's messages and authenticator notifications are stored in plaintext (unencrypted, readable format). No mobile access is required because the sensitive data is already on the PC. This is an emerging blind spot in most MFA security models, which invest heavily in mobile defenses while leaving the desktop sync layer unmonitored and unaudited.

What are the safest alternatives to SMS-based two-factor authentication for small businesses concerned about endpoint-based OTP theft?

In order of security strength: (1) FIDO2 hardware security keys such as YubiKey — physical devices that perform cryptographic authentication and cannot be phished or synced to any PC application; (2) Passkeys — built into Windows Hello, Apple Face ID and Touch ID, and Google Password Manager, using device-bound cryptography that never leaves the hardware; (3) TOTP authenticator apps (such as Authy or Google Authenticator) configured to generate codes locally with push notification sync disabled — and kept unpaired from Windows via Phone Link. SMS OTP should be eliminated for any account with access to sensitive data. Implementing FIDO2 or passkeys for high-risk accounts is a foundational cybersecurity best practice that both neutralizes attacks like CloudZ and satisfies rapidly tightening 2026 regulatory expectations for strong authentication.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.