Attackers have found a way to intercept SMS-based one-time passwords from a victim's mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.

Researchers documented an active intrusion campaign active since at least January 2026, that combines a remote access trojan called "CloudZ" with a previously undocumented plugin named "Pheno." Together the two tools are designed to steal credentials and harvest authentication codes that arrive on a victim's phone by abusing Microsoft Phone Link, a legitimate Windows application built into every Windows 10 and 11 system.

Microsoft Phone Link, formerly "Y...