DET0156: Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs
DET0156 is a detection strategy for identifying SMS pumping through SaaS application logs. The business issue is not just fraud: unchecked SMS pumping can...
Analyst context for executives and security teams
DET0156 is a detection strategy for identifying SMS pumping through SaaS application logs. The business issue is not just fraud: unchecked SMS pumping can create unexpected usage costs and affect availability of hosted messaging-dependent workflows such as sign-up, authentication, notifications, or customer communications. Because the ATT&CK object has no official detection logic, organizations should treat it as a prompt to verify whether SaaS messaging activity is logged, monitored, and reviewed for abnormal cost or volume patterns.
Executive priority
Prioritize this where SaaS messaging supports revenue, customer access, identity verification, or operational communications. Leaders should ask who owns SMS cost monitoring, who can disable or rate-limit abusive messaging paths, and whether incident responders have timely SaaS log access. This also supports audit and compliance readiness by showing that externally hosted service usage is monitored for abuse that could affect availability and financial exposure.
Technical view
The object is a detection strategy that detects ATT&CK technique T1496.003, SMS Pumping, under the Impact tactic, with the related platform listed as SaaS. SOC and detection engineering teams should validate that SaaS application logs can show SMS generation events, account or tenant context, destination metadata where available, request source context, timestamps, and usage volume. Because no official detection text is supplied, teams should develop local baselines for expected SMS volume, destinations, triggering workflows, and user/application sources, then alert on significant deviations that could indicate resource hijacking.
Likely telemetry
- SaaS application logs for SMS send or messaging events
- Tenant, account, user, application, or API client identifiers associated with SMS activity
- Timestamps and event counts sufficient for rate and volume analysis
- Destination phone number metadata where available and permitted
- Workflow or feature context that triggered SMS messages, such as registration, verification, or notification flows
Detection direction
- Confirm that SaaS logs are retained and accessible quickly enough for SOC and incident response use.
- Build baselines for normal SMS volume by tenant, application, workflow, geography, and time period where the data exists.
- Alert on sudden increases in SMS sends, unusual destination patterns, repeated sends tied to a small set of workflows, or usage approaching quota or billing thresholds.
- Correlate SMS volume anomalies with application activity and configuration changes to reduce false positives from legitimate campaigns, onboarding events, or business notifications.
- Document blind spots where the SaaS provider does not expose destination, source, or billing details needed to distinguish normal use from abuse.
Mitigation priorities
- Establish ownership for SaaS messaging configuration, monitoring, and emergency response actions.
- Apply practical usage controls such as quotas, rate limits, approval workflows, or feature restrictions where the SaaS service supports them.
- Ensure billing and usage alerts reach both operational owners and security responders.
- Review authentication, authorization, and API access paths that can trigger SMS sends, especially for externally exposed workflows.
- Maintain an incident playbook for suspected SMS pumping that covers log collection, temporary throttling or disabling of messaging flows, provider escalation, and business communication.
Analyst notes and limits
This take is based on the detection strategy object DET0156 and its relationship to ATT&CK technique T1496.003 SMS Pumping. The strongest decision value is validating SaaS log visibility, cost/usage monitoring, and operational response readiness for resource hijacking scenarios.
The supplied ATT&CK object has no official description, no official detection text, no tactics, and no platforms specified for the detection strategy itself. Platform and tactic context comes from the related technique, which lists SaaS and Impact. Local SaaS capabilities, log fields, business workflows, and provider controls are required to turn this into a concrete analytic.
Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1496.003 | SMS Pumping Sub-technique | This object detects SMS Pumping. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 592a8a72513c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0156Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.