CloudZ targets one-time passwords used to protect email, financial platforms, VPNs, and enterprise SaaS accounts, meaning a successful compromise can result in account takeover across multiple systems even when multi-factor authentication is in place. Organizations relying on SMS-based MFA as their primary second factor face the highest exposure, and the attack's invisibility to conventional endpoint tools increases dwell time and the likelihood of undetected lateral movement. Regulatory exposure is elevated for organizations subject to data protection requirements, as unauthorized access enabled by bypassed MFA may trigger breach notification obligations depending on what systems are accessed.
You Are Affected If
You run Windows 10 or Windows 11 endpoints with Windows Phone Link application installed and an Android device paired
Users on those endpoints rely on SMS-based one-time passwords for account authentication (email, VPN, banking, SaaS)
ConnectWise ScreenConnect is present in the environment or accessible from it, whether authorized or not
Your EDR or antivirus solution does not have a detection rule for SQLite database access by non-Microsoft processes in the Phone Link data path
You have not audited or restricted RMM tool execution via application control or allowlisting policies
Board Talking Points
Attackers can bypass the text-message login codes protecting our accounts by silently reading them from company laptops — without ever touching an employee's phone.
Security teams should audit and disable the Windows Phone Link feature on sensitive systems within 72 hours, and begin migrating to stronger authentication methods within 30 days.
Organizations that take no action remain exposed to undetected account takeovers that existing security tools are unlikely to catch, increasing the risk of data breach and regulatory liability.
PCI-DSS — SMS-based OTP bypass via compromised Windows endpoints may undermine MFA controls required for access to cardholder data environments under PCI-DSS v4.0 Requirement 8.4
HIPAA — If affected Windows endpoints are used to access electronic protected health information, bypassed MFA weakens access controls required under the HIPAA Security Rule (45 CFR 164.312(d))
SOC 2 — MFA bypass on systems in scope for SOC 2 Trust Service Criteria (CC6.1, CC6.3) may constitute a control failure requiring disclosure to auditors
