Trojan Exploits Microsoft Phone Link to Harvest Credentials Across Devices
What Happened — Researchers at Cisco Talos identified the CloudZ Remote Access Trojan (RAT) that monitors the Microsoft Phone Link (formerly “Your Phone”) process. When a user launches Phone Link to sync a smartphone with a Windows PC, CloudZ hijacks the app’s SQLite database and exfiltrates credentials, SMS messages, and one‑time passcodes. The campaign has been active since at least January 2026.
Why It Matters for TPRM —
- Credential theft can compromise downstream SaaS services, ERP systems, and privileged accounts.
- The attack leverages a legitimate Microsoft feature, making detection by traditional signature‑based tools difficult.
- Any third‑party that requires Windows‑based device‑sync for its workforce is exposed to the same risk.
Who Is Affected — Enterprises across all sectors that allow Windows 10/11 PCs to sync with mobile devices via Microsoft Phone Link, especially those handling sensitive data (finance, healthcare, government, retail, and technology firms).
Recommended Actions —
- Review and restrict the use of Microsoft Phone Link on corporate endpoints.
- Enforce MFA and credential‑vaulting solutions that do not rely on stored passwords in sync apps.
- Deploy endpoint detection and response (EDR) capable of monitoring anomalous process‑file interactions.
- Conduct a threat‑hunt for the CloudZ “Pheno” module and related PowerShell activity.
Technical Notes — CloudZ is a .NET‑based RAT with anti‑analysis features. It loads in memory, contacts a C2 server, and runs PowerShell scripts to steal data. The “Pheno” plugin watches for active Phone Link processes and attempts to copy the app’s SQLite database, extracting credentials, SMS, and OTPs. No CVE is involved; the malware abuses legitimate Windows APIs. Source: https://www.zdnet.com/article/trojan-abuses-microsoft-phone-link-app-to-steal-passwords/