Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0658: Detection of SIM Card Swap

DET0658 is a mobile ATT&CK detection strategy for identifying SIM card swap activity related to technique T1451. The practical risk is that a phone number...

MobileDET0658Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0658 is a mobile ATT&CK detection strategy for identifying SIM card swap activity related to technique T1451. The practical risk is that a phone number can be transferred to an adversary-controlled SIM or device, which can undermine business processes that rely on possession of that number. For executives, the key question is whether the organization can recognize and respond when a user’s mobile number control changes unexpectedly, especially for high-risk users and services that depend on mobile verification.

Executive priority

Treat this as an identity and incident-readiness issue, not only a mobile device issue. Leaders should confirm which critical workflows depend on phone-number control, whether SIM change events are available from mobile providers or enterprise mobility processes, and how the SOC or help desk escalates suspected swaps. Priority is highest where Android or iOS users rely on mobile numbers for authentication, recovery, approval, or business communications. Because the ATT&CK object provides no official detection logic, coverage should be proven with local telemetry and response procedures rather than assumed from tool ownership.

Technical view

This detection strategy detects T1451 SIM Card Swap in the mobile domain. The related technique states that adversaries may transfer or swap a victim’s phone number to adversary-controlled SIM cards and mobile devices after gathering victim information through means such as phishing, social engineering, data breaches, or other avenues. SOC and IR teams should validate whether they can correlate SIM-change indicators with identity events, mobile enrollment changes, help-desk interactions, suspicious authentication, and user reports. Since the detection object does not specify tactics, platforms, or detection analytics, teams should scope validation around the related technique’s Android and iOS context and their own mobile carrier, MDM, IAM, and case-management data sources.

Likely telemetry

  • Carrier or telecom notifications of SIM change, number port, or device association changes where available
  • Mobile device management or enterprise mobility records for device enrollment, device replacement, or phone number changes
  • Identity and access management logs for authentication, MFA, password reset, account recovery, and device trust changes involving mobile numbers
  • Help desk, service desk, or user support tickets reporting loss of service, unexpected carrier changes, or phone-number control issues
  • User-reported security events tied to Android or iOS devices

Detection direction

  • Do not assume coverage from ATT&CK alone; this object has no official detection text, so detection engineering must define and test local analytics.
  • Validate whether SIM or number-transfer events can be obtained directly from carriers, enterprise mobility providers, or user-reporting workflows.
  • Correlate suspected SIM changes with identity activity such as account recovery, MFA changes, new device enrollment, or unusual authentication timing.
  • Prioritize monitoring for high-risk users and accounts where phone-number control affects access or business approvals.
  • Tune for legitimate events such as planned phone upgrades, carrier migrations, employee onboarding/offboarding, and device replacements to reduce false positives.

Mitigation priorities

  • Inventory business processes and identity controls that depend on mobile phone-number possession.
  • Establish an escalation path for suspected SIM swap reports from users, help desk, telecom administrators, and the SOC.
  • For sensitive users and workflows, reduce dependence on phone-number-based verification where stronger alternatives are available in the local environment.
  • Ensure mobile device and identity teams can quickly suspend, verify, or re-secure affected accounts when a number-transfer concern is raised.
  • Document evidence sources and response steps for audit, incident review, and compliance readiness.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with external ID DET0658 and detects T1451 SIM Card Swap. The object itself does not provide an official description, detection logic, tactics, or platforms. The only platform context comes from the related T1451 technique, which lists Android and iOS. Recommendations above are therefore framed as validation and readiness actions rather than confirmed ATT&CK-provided analytics.

Coverage depends heavily on local carrier access, mobile management scope, identity architecture, and whether the organization uses phone numbers in authentication or recovery workflows. The supplied data does not support claims about active exploitation, specific adversaries, guaranteed detection, or vendor-specific controls.

Official MITRE ATT&CK definition

Detection of SIM Card Swap

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1451 SIM Card Swap This object detects SIM Card Swap.
Relationship explorer

All related ATT&CK context

detects · Technique T1451: SIM Card Swap Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
710ef9ecf029d6ba...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 710ef9ecf029…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0658
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use