Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1670: Analytic 1670

A defender correlates Safari or embedded web content navigation with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit-preparation fetches, followed by browser/WebView instability, unusual file handling, profile/download prompts, or near-term changes in device or application behavior inconsistent with normal browsing.

MobileAN1670AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1670 is a mobile detection analytic for iOS that focuses on suspicious Safari or embedded WebView browsing chains: short-lived abnormal sessions, staged redirects, fingerprinting, exploit-preparation fetches, and then signs such as browser instability, unusual file handling, profile or download prompts, or near-term device/app behavior changes. For leaders, the value is not that every redirect is malicious; it is that mobile web activity can be an early signal before a device or application state changes in ways that affect user trust, executive mobility, and incident response decisions.

Executive priority

Prioritize this analytic where iOS devices are used for sensitive work, executive communications, regulated workflows, or access to business applications. The business question is whether the organization can correlate mobile browsing events with follow-on device or application anomalies quickly enough to support containment, user guidance, and evidence collection. Because ATT&CK provides no official detection implementation or relationship context here, this should be treated as a validation target for mobile telemetry readiness rather than a guaranteed detection capability.

Technical view

SOC and detection teams should validate whether they can correlate Safari and embedded WebView navigation patterns with short-lived abnormal web sessions and subsequent iOS behavior changes. The analytic points to sequences involving staged redirects, environment fingerprinting, exploit-preparation fetches, browser/WebView instability, unusual file handling, profile/download prompts, or near-term application/device behavior inconsistent with normal browsing. Since no tactic, relationship, or official detection logic is supplied, teams should define local baselines for normal mobile browsing and WebView behavior before alerting on deviations.

Likely telemetry

  • iOS Safari browsing or navigation events where available
  • Embedded WebView navigation events from managed or instrumented applications where available
  • Web session metadata such as redirect chains, session duration, domains, URLs, and fetch patterns
  • Browser or WebView crash, instability, or abnormal termination signals
  • File handling, download, and profile prompt events on iOS

Detection direction

  • Validate that Safari and embedded WebView telemetry exists; many mobile environments have limited visibility into one or both.
  • Correlate abnormal web-session behavior with follow-on instability, prompts, file handling, or app/device changes rather than alerting on redirects alone.
  • Tune against common benign causes of redirects, authentication flows, content delivery, advertising, and application deep-link behavior.
  • Separate executive/high-risk device monitoring requirements from broad fleet monitoring if telemetry volume or privacy constraints limit collection.
  • Document where detection is impossible because iOS, application, or management tooling does not expose the required events.

Mitigation priorities

  • Inventory which iOS devices and managed applications can provide Safari or WebView-related evidence.
  • Define acceptable mobile web, download, profile prompt, and application behavior baselines for managed iOS use cases.
  • Strengthen mobile device management and application governance so suspicious profile/download prompts or unusual file handling can be reviewed quickly.
  • Prepare incident response playbooks for suspicious mobile browsing followed by device or application anomalies, including evidence preservation and user communication.
  • Use validation results to inform mobile security control investments and compliance evidence around monitoring and response readiness.
Analyst notes and limits

This object is a detection analytic in the mobile ATT&CK domain for iOS. It has no supplied tactic, no relationships, and no official detection text beyond the analytic description. The strongest use is as a coverage-assessment prompt: can the organization connect web navigation anomalies to near-term iOS device or application changes?

No active exploitation, attribution, affected software beyond iOS platform context, or guaranteed detection coverage is stated in the supplied ATT&CK fields. Local telemetry, privacy constraints, MDM capabilities, application instrumentation, and normal browsing baselines will determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 1670

A defender correlates Safari or embedded web content navigation with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit-preparation fetches, followed by browser/WebView instability, unusual file handling, profile/download prompts, or near-term changes in device or application behavior inconsistent with normal browsing.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
b9825c735336184e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle b9825c735336…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1670
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use