Published: · Region: Global · Category: cyber

ILLUSTRATIVE
American multinational technology company
Illustrative image, not from the reported incident. Photo via Wikimedia Commons / Wikipedia: Microsoft

CloudZ RAT Abuses Windows Phone Link to Bypass SMS 2FA

A new campaign active since January 2026 is exploiting Microsoft’s Phone Link feature on Windows to intercept SMS messages and one-time passwords without infecting mobile devices. Details published on 6 May 2026 reveal the CloudZ remote access trojan is stealing credentials and bypassing two-factor authentication via synced desktop data.

Key Takeaways

On 6 May 2026, cybersecurity researchers disclosed that a threat actor operating the CloudZ remote access trojan (RAT) has been exploiting Microsoft’s Phone Link feature on Windows to intercept SMS messages and one-time passwords (OTPs) without directly infecting victims’ smartphones. According to the technical analysis, the campaign has been active since at least January 2026 and focuses on compromising Windows machines that are paired with Android phones via Phone Link.

Phone Link is a legitimate Microsoft feature that allows users to view and respond to text messages, access photos, and interact with Android apps directly from a Windows desktop or laptop. CloudZ operators take advantage of this integration by first delivering the RAT to the victim’s Windows system—typically through phishing emails, malicious downloads, or other familiar intrusion vectors. Once installed, CloudZ gains access to the Phone Link data store, enabling it to read SMS content and associated OTPs that are mirrored from the connected phone.

Crucially, this approach bypasses traditional assumptions about the security of SMS-based two-factor authentication (2FA). Many organizations and users rely on receiving one-time codes via SMS under the belief that attackers would need to compromise the phone’s operating system or telecom channels to intercept them. In the CloudZ scenario, the phone remains untouched; instead, the weakest point is the PC where those messages are replicated.

Key actors in this campaign are the unidentified threat group behind CloudZ, Microsoft as the vendor responsible for Phone Link, and a potentially wide pool of victims who use Windows–Android integration features. Targets are likely to include both individuals and organizations, particularly those with valuable online accounts protected only by passwords and SMS 2FA.

From a risk perspective, the campaign enables several high-impact outcomes for attackers. Once in possession of OTPs and account credentials, CloudZ operators can log into email, banking, enterprise VPN, and cloud services accounts that appear to be protected by two-step verification. This opens paths to financial theft, data exfiltration, lateral movement within corporate networks, and further malware deployment.

The disclosure also highlights a broader structural issue: as consumer and enterprise ecosystems become more tightly integrated across devices, features designed for convenience can unintentionally expand the attack surface. Security models that treat one device as a secondary, more trusted factor can fail if that data is mirrored to a less secure environment.

Outlook & Way Forward

In the near term, Microsoft and security vendors are likely to respond by updating detection signatures, hardening Phone Link’s data handling, and issuing guidance for administrators. Possible mitigations could include restricting access to Phone Link data stores, adding additional encryption or user consent prompts for message access, and providing clearer controls for disabling or limiting cross-device synchronization in high-risk environments.

Organizations should reassess their reliance on SMS-based 2FA, especially in contexts where Windows–Android integration features are enabled. Stronger authentication methods—such as hardware security keys, app-based authenticators that do not sync via desktop applications, or FIDO2/WebAuthn-based logins—are less vulnerable to this specific attack vector. Security teams should also incorporate CloudZ-related indicators of compromise into their monitoring and threat-hunting workflows, with particular attention to endpoints running Phone Link.

Longer term, the CloudZ campaign is likely to be a precursor to similar abuse of other cross-device platforms, such as browser-based messaging integrations or vendor-specific ecosystem bridges. Vendors will need to build security by design into these features, considering abuse cases where desktop compromise can grant access to data assumed to be phone-bound. Analysts should watch for follow-on campaigns adapting the same concept to other synchronization tools, as well as for industry-wide initiatives to reduce dependence on SMS as a second factor for high-value accounts.

Sources

Related Coverage

GLOBAL

China Tells Refineries To Ignore U.S. Sanctions On Iranian Oil

On the morning of 6 May, reports at 06:08 UTC indicated Beijing has instructed Chinese oil refineries to disregard U.S. sanctions and continue purchasing Iranian crude. The directive signals a deliberate challenge to U.S. economic pressure on Iran and could reshape flows in global energy markets.
GLOBAL

China Tells Refiners to Ignore U.S. Sanctions on Iranian Oil

On 6 May 2026, reports indicated that Beijing has instructed Chinese oil refiners to continue purchasing Iranian crude despite U.S. sanctions. The move comes amid heightened tensions surrounding the Iran–U.S. confrontation and global energy markets.
WARNING

Ceasefires Hit Again: Escalation in Ukraine and Israel–Lebanon

Around 09:50–10:00 UTC on 6 May, President Zelensky reported that Russia has violated the Ukraine ceasefire with dozens of assault actions and heavy airstrikes, while the IDF confirmed multiple Hezbollah explosive drone incidents inside Israel, including wounded soldiers. These developments signal further erosion of two key ceasefire tracks and raise the risk of renewed, broader fighting with potential spillover effects on European security and Middle East markets.
WARNING

Ceasefires Fray in Ukraine and on Israel–Lebanon Border

Around 09:50–10:00 UTC, President Zelensky stated that Russia has violated the Ukraine ceasefire and that Kyiv will decide on further actions after updated military and intelligence reports, as Russian forces conduct dozens of assaults and air strikes. Simultaneously, the IDF reported multiple explosive drone incidents launched by Hezbollah from Lebanon into Israeli territory, including attacks that moderately and lightly wounded two soldiers. These developments signal tangible erosion of ceasefire understandings on two key fronts, raising near-term escalation and market risk.
WARNING

Ceasefires Fray in Ukraine and on Israel–Lebanon Border

Around 09:50–10:00 UTC, President Zelensky declared that Russia has violated the ceasefire in Ukraine with roughly 30 assault actions and over 70 air-dropped bombs overnight, and said Kyiv will decide on further actions after evening military and intelligence reports. Simultaneously, the IDF reported multiple explosive drone incidents, including at least one inside Israel and two wounding soldiers, which it labels fresh Hezbollah violations of the ceasefire understandings. These parallel breakdowns increase near-term escalation risk on two key fronts adjacent to Europe and Middle East energy routes.
EASTERN EUROPE

Russian Drones Strike Sumy Kindergarten and City Center

Russian forces hit central Sumy with at least two strike drones on the morning of 6 May 2026, damaging a civilian building and, according to local media, a kindergarten as children arrived for class. Rescue operations were underway after the attack, which occurred around 08:00–08:20 UTC.