AN1748: Analytic 1748
A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user’s number has been ported to an adversary-controlled SIM/device (SIM swap impact).
Analyst context for executives and security teams
This analytic is about spotting a possible SIM swap impact on iOS by correlating an unexpected cellular subscription change or persistent loss of service with a rapid increase in authentication or account-recovery activity. For leaders, the value is not just mobile monitoring; it is early recognition that phone-number control may have shifted, which can affect account recovery, SMS verification, and incident containment decisions.
Executive priority
Prioritize this where mobile numbers are used for authentication, verification, or account recovery. The business question is whether the organization can quickly determine when a user’s cellular identity changes unexpectedly and whether that change coincides with risky authentication activity. This supports resilience, help desk escalation, identity risk decisions, and audit evidence around account recovery controls.
Technical view
For SOC and IR teams, validate whether iOS-related telemetry can show eSIM/SIM profile changes, carrier/operator changes, or sudden persistent cellular service loss, then correlate those events with near-term disruption signals and spikes in authentication-related network activity consistent with SMS verification or account recovery flows. No ATT&CK tactics or relationships were supplied, so detection engineering should treat this as a correlation analytic rather than a complete behavior chain.
Likely telemetry
- iOS device or mobile management records showing cellular subscription, eSIM/SIM profile, or carrier/operator state changes
- Signals of sudden or persistent cellular service loss where available
- Authentication and account recovery logs showing increased verification or recovery activity
- Network activity metadata associated with authentication-related flows
- User-reported or operational disruption signals that can be time-correlated with cellular state changes
Detection direction
- Validate that cellular subscription state changes are actually collected for managed iOS devices; many environments may not have this visibility.
- Correlate cellular state changes with authentication/account recovery activity in a short time window rather than alerting on either signal alone.
- Tune for expected events such as legitimate carrier changes, device replacements, travel, or planned support activity to reduce false positives.
- Escalate when persistent cellular service loss and rapid authentication-related activity occur together, because that combination is the core analytic signal described by ATT&CK.
- Document telemetry gaps clearly, especially for unmanaged devices or environments relying heavily on SMS verification.
Mitigation priorities
- Reduce dependence on SMS-based verification or recovery for high-risk accounts where feasible.
- Strengthen account recovery review and escalation when mobile-number control is uncertain.
- Ensure incident response playbooks include identity containment steps when a suspected SIM swap affects authentication or recovery flows.
- Align mobile device visibility, identity logs, and help desk processes so correlation is possible during an investigation.
Analyst notes and limits
This is a mobile ATT&CK detection analytic for iOS, external ID AN1748. Its practical value depends on combining mobile cellular-state evidence with identity and authentication activity. Because no relationships, tactics, or formal detection logic were supplied, local implementation must define time windows, thresholds, and escalation criteria.
Official detection content was not provided, and no ATT&CK relationships were supplied. The object supports iOS only. This take does not assert active exploitation, attribution, guaranteed coverage, or applicability to other platforms.
Analytic 1748
A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user’s number has been ported to an adversary-controlled SIM/device (SIM swap impact).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2568a47ab4c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1748Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.