DET0611: Detection of Access Notifications

DET0611 is a mobile ATT&CK detection strategy for identifying Access Notifications behavior, where an adversary may collect sensitive information exposed i...

MobileDET0611Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0611 is a mobile ATT&CK detection strategy for identifying Access Notifications behavior, where an adversary may collect sensitive information exposed in operating system or application notifications. The business significance is that notifications can contain one-time authentication codes and other sensitive prompts, so this behavior can weaken identity assurance even when MFA is deployed.

Executive priority

Security leaders should treat this as an identity and mobile-risk validation item: are mobile devices, especially Android devices in scope for the related technique, monitored and governed well enough to identify suspicious notification access or abuse? This matters for incident decision-making, MFA control confidence, compliance evidence around access protection, and mobile security program maturity. Because the ATT&CK object provides no official detection text or platform list for the strategy itself, priority should be based on local exposure to mobile authentication workflows and managed-device visibility.

Technical view

SOC, mobile security, and IR teams should validate whether they can investigate suspicious access to notification content, notification dismissal, or interaction with notification action buttons in environments where Android devices are used. The relationship context ties this strategy to T1517 Access Notifications, including collection of one-time codes sent over SMS, email, or other channels. Detection engineering should focus on available mobile device, EMM/MDM, endpoint, application, and identity logs that can corroborate notification access with authentication events, MFA challenges, or unusual account activity. Treat this as a coverage assessment rather than a ready-made analytic, because MITRE does not provide official detection logic for DET0611 in the supplied fields.

Likely telemetry

Mobile device management or enterprise mobility management inventory and compliance state
Android security, permission, or accessibility-related telemetry where available
Application logs for authentication, MFA challenge, and one-time code delivery workflows
Identity provider sign-in, MFA, and session telemetry
Mobile email, SMS, or messaging application security events where available

Detection direction

Confirm which mobile platforms are in scope; the related technique lists Android, while the detection strategy object itself has no platform field specified.
Correlate suspicious mobile app permission or notification-access behavior with identity events such as MFA prompts, one-time code delivery, new sessions, or failed and successful sign-ins.
Tune for false positives from legitimate notification management, accessibility tools, enterprise productivity apps, and user-configured notification automation.
Validate whether SOC runbooks can distinguish notification access from broader credential-access or MFA-abuse investigations.
Document blind spots where unmanaged personal devices, limited mobile telemetry, or privacy constraints prevent reliable notification-level investigation.

Mitigation priorities

Prioritize mobile device governance for devices used in business authentication workflows, including enrollment, compliance checks, and visibility expectations.
Review whether sensitive one-time codes or access prompts are exposed through notifications and reduce notification content exposure where feasible.
Strengthen identity controls so compromise of a single notification-delivered code is not the only barrier to account access.
Use mobile application permission review and managed-device policy enforcement to limit unnecessary notification access where supported.
Ensure IR procedures include mobile device triage and identity-session review when notification access or MFA-code interception is suspected.

Analyst notes and limits

This take is based on ATT&CK detection strategy DET0611 and its relationship to mobile technique T1517 Access Notifications. The useful defensive decision is not a specific signature, but whether the organization can prove visibility into mobile notification abuse paths that may affect MFA and credential-access investigations.

The supplied ATT&CK object has no official description, official detection text, tactics, labels, or platform list. Android is supported only through the related T1517 technique context. Local device management, privacy policy, identity architecture, and application telemetry determine whether practical detection is possible.

Official MITRE ATT&CK definition

Detection of Access Notifications

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1517	Access Notifications	This object detects Access Notifications.

Relationship explorer

All related ATT&CK context

detects · Technique T1517: Access Notifications Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: 09bdc47ecfac3b6f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`09bdc47ecfac…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0611
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use