⚠️ Be Careful with Microsoft Phone Link — It’s Becoming a Major Attack Vector I want to call attention to something that’s flying under the radar for a lot of users and businesses: the Microsoft Phone Link app (formerly Your Phone). It’s a great productivity tool when used properly, as it lets you view messages, notifications, and photos from your Android phone (and even available now on iOS) Windows PC. But it’s also become a growing security concern. Here’s the problem: bad actors are now using this same convenience to their advantage. They’re tricking users (often through remote support scams or fake IT calls) into connecting a virtual or attacker-controlled phone to the victim’s computer using Phone Link. Once connected, the attacker can: - Receive MFA (multi-factor authentication) codes meant for the real user. - Access texts or notifications that contain password resets or verification codes. - Leverage access to other apps (like Outlook, Teams, or banking) that rely on SMS or app-based authentication. Because Phone Link operates within the user’s own Microsoft account, these attacks can slip right past normal endpoint protection tools. It looks like a legitimate connection. What to Watch For: - Never approve a Phone Link pairing unless you initiated it. - If someone “helping you” (even claiming to be from Microsoft or your IT provider) asks you to scan a QR code in the Phone Link app — stop immediately. - Check Settings → Bluetooth & Devices → Mobile Devices in Windows to see if an unfamiliar phone is connected. Remove anything you don’t recognize. - Use app-based MFA (like Microsoft Authenticator or Duo) instead of text-message codes whenever possible. - If you suspect compromise, disconnect the phone, reset your Microsoft account password, and contact your IT team. Technology designed for convenience often becomes a backdoor for exploitation when awareness doesn’t keep up. Microsoft Phone Link isn’t inherently bad, it’s just being misused by increasingly clever attackers.