Windows Phone Link Abused to Siphon SMS and Defeat 2FA

Attackers are weaponizing Microsoft’s Phone Link feature, the built-in Windows utility that pairs a PC with a mobile device for messaging and notifications, to silently exfiltrate SMS traffic from victims. By coercing or tricking users into completing the pairing handshake, an adversary with access to the Windows host gains a live mirror of incoming texts without ever touching the phone again.

The immediate payoff is bypassing SMS-based two-factor authentication. Once the link is established, one-time codes sent to the victim’s number surface on the attacker-controlled PC alongside any other message traffic, defeating account protections that assume the phone is the sole receiver. The technique sidesteps traditional malware detection because Phone Link is a signed, legitimate Microsoft component running with expected behavior.

The attack reinforces a known weakness in SMS as a second factor and highlights the broader risk of OS-level convenience features that bridge trust boundaries between devices. Defenders should monitor Phone Link pairing events, restrict the feature in managed environments where it isn’t required, and accelerate migration off SMS 2FA toward phishing-resistant factors like FIDO2 or authenticator apps.