Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0036: Exfiltration

The adversary is trying to steal data.

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.

In the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.

MobileTA0036TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Mobile exfiltration is the point where a device compromise becomes a data-loss and business-risk event: the adversary is trying to remove files or information from a targeted mobile device. The mobile context matters because devices often communicate over networks the enterprise does not fully control, such as cellular or public Wi-Fi, and may also use non-IP channels such as SMS.

Executive priority

Treat this as a mobile data protection and incident readiness issue, not only a malware detection problem. Leaders should ask whether sensitive mobile data is governed, whether incident teams can reconstruct device communications across corporate and non-corporate networks, and whether mobile data loss evidence would be available for legal, compliance, and customer-impact decisions. Budget priority should favor controls and telemetry that reduce unmanaged exfiltration paths and improve visibility when devices leave enterprise networks.

Technical view

ATT&CK provides no specific detection guidance or related techniques for this tactic object, so SOC and IR teams should validate coverage around the exfiltration outcome in the mobile domain. Focus on whether mobile security, MDM/UEM, network, VPN, proxy, DNS, Wi-Fi, cellular usage, and SMS-related evidence can show unusual outbound transfer or communication patterns from managed devices. Detection engineering should account for blind spots when devices use public Wi-Fi, cellular networks, or non-IP mechanisms outside normal enterprise monitoring.

Likely telemetry

  • MDM/UEM device inventory, compliance, configuration, and security event records
  • Mobile endpoint or mobile threat defense alerts where deployed
  • Corporate Wi-Fi, VPN, proxy, DNS, and firewall logs for managed mobile device traffic
  • Cellular data usage records, billing anomalies, roaming usage, or data-cap events where available
  • SMS or messaging metadata where legally and technically available

Detection direction

  • Confirm which managed mobile devices generate usable telemetry when off corporate Wi-Fi and on cellular or public networks.
  • Tune for unusual outbound volume, destination changes, communication timing, or data usage spikes while considering legitimate mobile app synchronization and backups as false-positive sources.
  • Review whether SMS or other non-IP communication paths are visible at all; if not, document the gap as a detection limitation.
  • Correlate mobile device posture, app inventory, and network activity rather than relying on a single log source.
  • Ensure alert triage can distinguish suspected data removal from normal user mobility, app updates, cloud sync, and carrier-driven network behavior.

Mitigation priorities

  • Prioritize mobile data minimization and access governance so less sensitive information resides on or is reachable from mobile devices.
  • Enforce MDM/UEM controls for device compliance, encryption, approved applications, and restrictions on risky data handling where appropriate.
  • Require secure enterprise access paths for sensitive services and monitor those paths for anomalous mobile activity.
  • Define IR playbooks for suspected mobile data exfiltration, including device isolation, evidence preservation, user notification workflow, and legal/compliance escalation.
  • Track visibility gaps for cellular, public Wi-Fi, and SMS paths as risk items rather than assuming enterprise network monitoring is sufficient.
Analyst notes and limits

This is a tactic-level mobile ATT&CK object, so it describes adversary intent rather than a specific procedure. The key decision value is validating whether the organization can detect and investigate mobile data leaving through networks or channels outside normal enterprise control.

No official detection text, platform list, aliases, labels, or relationship context was supplied. This take is therefore limited to the official tactic description and external reference. Local device management scope, logging permissions, carrier data access, privacy requirements, and mobile architecture are required to assess actual coverage.

Official MITRE ATT&CK definition

Exfiltration

The adversary is trying to steal data.

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.

In the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0ea353a3b396a6fd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0ea353a3b396…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0036
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use