Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs
Summary
A new malware campaign, featuring a remote access trojan called CloudZ and a plugin named Pheno, is abusing Microsoft's Phone Link feature to steal SMS-based one-time passwords (OTPs) and other sensitive mobile data from Windows PCs. This technique exploits the trust relationship between phones and PCs, allowing attackers to harvest credentials and authentication codes without compromising the mobile device itself.
IFF Assessment
This is bad news for defenders as it introduces a novel attack vector that bypasses traditional mobile device security and targets enterprise PCs to steal multi-factor authentication codes.
Defender Context
Defenders should be aware of this new tactic that leverages legitimate Microsoft Phone Link functionality to exfiltrate sensitive data, including OTPs. This highlights the need for robust endpoint security and monitoring for unusual process activity related to Phone Link, as well as educating users about the potential risks of syncing mobile data to enterprise PCs.