Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1747: Analytic 1747

A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns—such as a spike in SMS-based verification flows or account recovery activity from the same user’s identities—indicating the user’s number may have been transferred to a different SIM/device (SIM swap impact).

MobileAN1747AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because a SIM swap can turn a user’s phone number into an attack surface for account recovery and SMS-based verification. For leaders, the key issue is not just mobile device health; it is whether identity, telecom, and SOC signals can be correlated quickly enough to recognize that a user may have lost control of their number before account recovery or authentication abuse causes business disruption.

Executive priority

Prioritize this where the business still relies on SMS verification, phone-number-based recovery, or mobile access for workforce identities. The executive question is whether teams can prove they would see a sudden carrier service or line-identifier change, connect it to messaging or telephony disruption, and compare it with near-term authentication pattern changes. This supports incident decision-making, identity risk management, and audit evidence around account recovery controls.

Technical view

For Android environments, validate whether defenders can correlate three evidence areas: sudden carrier identity or service-state changes, near-term device messaging or telephony disruption, and concurrent authentication changes such as increased SMS verification or account recovery events for the same user identities. Because no official detection logic is provided and no ATT&CK relationships are supplied, teams should treat this as a correlation design requirement rather than a ready-to-run rule.

Likely telemetry

  • Android device carrier/service state or SIM/line identifier change events where available
  • Mobile messaging and telephony disruption indicators
  • Identity provider authentication logs
  • SMS-based verification events
  • Account recovery activity tied to the same user identity

Detection direction

  • Validate that mobile, identity, and authentication logs share a reliable user or device correlation key.
  • Tune for near-term correlation between cellular service or SIM/line changes and unusual SMS verification or account recovery activity.
  • Review false positives from legitimate carrier changes, device replacements, roaming/service outages, help desk number updates, and planned mobile migrations.
  • Identify blind spots where SMS verification events are logged but carrier or device state changes are not centrally collected.
  • Use this analytic as a trigger for identity risk review, not as standalone proof of compromise.

Mitigation priorities

  • Reduce dependence on SMS-based verification and phone-number-only account recovery where business processes allow.
  • Strengthen identity recovery workflows with additional verification and documented escalation paths.
  • Maintain accurate user, device, and phone-number inventories to support correlation and incident response.
  • Ensure SOC and IAM teams have a playbook for suspected SIM swap impact, including account recovery review and user contact procedures.
  • Periodically test whether the organization can connect mobile service disruption with authentication and recovery activity.
Analyst notes and limits

The supplied ATT&CK object is a mobile detection analytic for Android and describes correlation logic for possible SIM swap impact. It does not provide a formal detection query, tactics, relationships, aliases, or labels. The strongest use is as a coverage validation prompt across mobile telemetry, identity logs, and account recovery monitoring.

This take is limited to the official STIX fields, external reference, and the absence of relationship context. It does not establish active exploitation, attribution, guaranteed detectability, or coverage in any specific environment. Local telemetry availability and identity process design will determine practical effectiveness.

Official MITRE ATT&CK definition

Analytic 1747

A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns—such as a spike in SMS-based verification flows or account recovery activity from the same user’s identities—indicating the user’s number may have been transferred to a different SIM/device (SIM swap impact).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
b84455f94c0b6b65...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle b84455f94c0b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1747
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use