Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0684: Detection of Phishing

DET0684 is a mobile ATT&CK detection strategy for identifying phishing behavior associated with the mobile technique T1660, Phishing. The business issue is...

MobileDET0684Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0684 is a mobile ATT&CK detection strategy for identifying phishing behavior associated with the mobile technique T1660, Phishing. The business issue is not just message filtering; mobile phishing can be an entry point for adversaries attempting to gain access to user devices through electronically delivered social engineering. Leaders should treat this as a validation point for mobile security monitoring, user reporting, and incident response readiness across Android and iOS environments where those devices are in scope.

Executive priority

Prioritize this where mobile devices are used for business access, identity verification, communications, or sensitive workflows. Because the supplied ATT&CK object has no official detection logic or platform list of its own, the executive decision is to confirm whether the organization has defensible evidence and response processes for mobile phishing attempts rather than assuming coverage. This supports operational resilience, identity risk reduction, audit evidence for security awareness and incident handling, and budget decisions around mobile threat monitoring and response.

Technical view

This detection strategy is mapped to mobile Phishing T1660, which covers electronically delivered social engineering against mobile users, including broad phishing and more targeted spearphishing. SOC and detection engineering teams should validate coverage against Android and iOS environments from the related technique context. Since MITRE provides no official detection text for DET0684, teams should define local analytic requirements: how phishing reports are captured, what mobile device or messaging telemetry is available, how suspicious links or content are triaged, and how incidents are correlated with identity, device, and user activity after interaction.

Likely telemetry

  • User-reported suspicious mobile messages or links
  • Mobile device management or mobile security event logs where deployed
  • Email, messaging, or collaboration security alerts involving mobile users
  • Web proxy, DNS, or secure web gateway records for suspicious mobile link access where available
  • Identity and access logs following suspected phishing interaction

Detection direction

  • Confirm whether mobile phishing reports and alerts are routed into the SOC workflow with enough user, device, message, URL, and timestamp context to investigate.
  • Correlate suspected phishing interaction with subsequent identity activity, device posture changes, and access to business applications.
  • Tune for the difference between benign suspicious-message reports, spam, awareness-test activity, and higher-risk targeted phishing indicators.
  • Validate visibility separately for Android and iOS because the related technique identifies both platforms, while this detection strategy object itself does not provide platform-specific guidance.
  • Document blind spots where personal devices, unmanaged messaging apps, encrypted channels, or incomplete mobile telemetry prevent confident assessment.

Mitigation priorities

  • Establish a clear mobile phishing reporting and triage process before relying on automated detection alone.
  • Maintain accurate mobile device inventory and ownership context for Android and iOS devices in scope.
  • Integrate mobile phishing alerts and user reports with identity monitoring and incident response workflows.
  • Use security awareness and executive/user communications to reduce reporting friction and improve early escalation.
  • Review control gaps in mobile management, messaging security, and post-click investigation evidence based on observed blind spots.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy named Detection of Phishing, external ID DET0684, in the mobile-attack domain. It detects T1660 Phishing, whose supplied description states that adversaries may send malicious content to users to gain access to mobile devices and may use broad or targeted electronically delivered social engineering. No official detection text, tactics, platforms, aliases, or labels are provided for DET0684 itself.

This take is constrained by sparse official fields. MITRE supplied no detection logic, data sources, analytics, or mitigations for DET0684, and the detection strategy object does not specify platforms. Android and iOS are referenced only through the related T1660 technique. Local environment telemetry is required to determine actual coverage or risk exposure.

Official MITRE ATT&CK definition

Detection of Phishing

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1660 Phishing This object detects Phishing.
Relationship explorer

All related ATT&CK context

detects · Technique T1660: Phishing Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
697c4a4d1293708f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 697c4a4d1293…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0684
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use