Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1676: Analytic 1676

The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure.

MobileAN1676AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1676 is an iOS mobile detection analytic focused on suspicious network sequencing: a managed app or supervised device contacts a legitimate public web platform, then immediately connects to a newly derived domain or IP that is not expected for that service interaction. For leaders, the value is in validating whether mobile and network monitoring can distinguish normal app/cloud service behavior from unexpected downstream connections, especially where iOS app-level telemetry is limited.

Executive priority

This matters for organizations that rely on managed iOS devices for business operations, regulated access, executive communications, or mobile workforce productivity. The business question is not simply whether the organization has mobile device management, but whether it can produce usable evidence when a managed iOS device makes unexpected network connections after interacting with a legitimate platform. Prioritize this analytic where mobile access is material to identity, cloud application access, incident response scoping, or compliance evidence.

Technical view

SOC and detection teams should validate whether they can correlate supervised-device or managed-app network requests to known public platforms with immediate subsequent connections to different domains or IPs that are not part of the expected service flow. Because the ATT&CK description notes weaker app-level telemetry on iOS, the practical detection burden shifts to network-level sequence analysis, device supervision context, managed-app context, lock state, recent user interaction, and expected bundle-to-infrastructure behavior. No ATT&CK tactics or relationships were supplied, so this should be treated as a detection analytic to operationalize rather than as a complete behavior-to-campaign mapping.

Likely telemetry

  • iOS supervised-device network connection logs
  • Managed app network activity where available
  • DNS queries and responses from managed iOS devices
  • Proxy, secure web gateway, firewall, or network sensor logs
  • Domain and IP reputation or categorization context

Detection direction

  • Confirm that network telemetry can preserve time-ordered sequences from the same iOS device or managed app.
  • Build or validate baselines for legitimate public platforms and their expected downstream domains or IP ranges before alerting on deviations.
  • Tune for immediate follow-on connections to a different domain or IP after a legitimate platform request, especially when the device is locked or there was no recent user interaction.
  • Account for false positives from legitimate content delivery networks, authentication flows, embedded web content, redirects, mobile SDKs, and cloud service dependencies.
  • Use managed-app and bundle context where available, but do not assume full app-level visibility on iOS.

Mitigation priorities

  • Ensure iOS devices in scope are supervised or otherwise managed where business requirements allow.
  • Maintain MDM/mobile management inventory that links users, devices, managed apps, and expected business services.
  • Route managed iOS traffic through logging-capable network controls where appropriate for privacy, legal, and operational requirements.
  • Define expected network interaction baselines for critical mobile apps and public platforms used by the business.
  • Establish incident response procedures for unexpected mobile network destinations, including device containment, user validation, and evidence preservation.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for the mobile domain and iOS platform. Its strongest operational message is that iOS telemetry limitations make network-level correlation especially important. Since no relationships, tactics, or official detection field were supplied, local baselining and environment-specific validation are required before this can be promoted into production alerting.

This take is limited to the official STIX fields, the MITRE external reference, and the supplied description. No active exploitation, attribution, affected software list, tactic mapping, or relationship context was provided. Detection feasibility depends on local iOS management posture, network logging architecture, privacy constraints, and the availability of device state and user interaction telemetry.

Official MITRE ATT&CK definition

Analytic 1676

The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ed5fa1a6c2058c86...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle ed5fa1a6c205…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1676
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use