T1456: Drive-By Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an Application Access Token.

Multiple ways of delivering exploit code to a browser exist, including:

* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[1]

Typical drive-by compromise process:

1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

MobileT1456TechniqueObject v2.2 Modified Oct 24, 2025, 17:49 UTC (UTC+00:00)

Drive-By Compromise matters because a mobile user can be exposed during ordinary browsing, including visits to compromised legitimate sites, malicious ads, or user-generated web content. For leaders, the risk is not just “bad websites”; it is whether Android and iOS devices that access enterprise resources are patched, observable, and governed well enough to withstand browser or web-content exploitation attempts.

Executive priority

Prioritize this as a mobile resilience and access-control issue. The supplied mitigation relationship points directly to security updates: organizations should be able to prove that mobile devices accessing enterprise data receive timely updates, that unsupported devices are decommissioned, and that access can be limited or blocked when patch levels are not current. This also supports audit evidence for mobile device governance and incident readiness when high-value users may be targeted through normal web activity.

Technical view

SOC, detection engineering, and IR teams should validate mobile coverage for Android and iOS browsing-related compromise paths. ATT&CK provides no official detection text for T1456, but it does relate DET0614, Detection of Drive-By Compromise, to this technique. Teams should test whether they can correlate mobile web access, browser/app version and patch posture, suspicious script or redirect activity, warning bypasses where visible, exploit-attempt indicators, and subsequent code execution or token-access behavior. Relationship context shows this technique is used by multiple ATT&CK-tracked mobile software/campaign objects, so detection content should be reviewed against mobile spyware-style tradecraft without assuming those tools are present locally.

Likely telemetry

Mobile device management or enterprise mobility records showing OS version, browser version, device model, and security patch level
Mobile access-control logs showing whether devices are allowed, blocked, or conditional based on update status
Mobile browser or web gateway/proxy/DNS telemetry for visited domains, redirects, ad-delivered content, and compromised-site access where collected
Mobile threat defense or endpoint telemetry for suspicious browser behavior, exploitation symptoms, unexpected process/app activity, or post-browse code execution
Application access token or session telemetry where enterprise apps expose token acquisition or anomalous use after mobile web activity

Detection direction

Start by confirming whether DET0614-style coverage exists in the environment; ATT&CK does not provide detection details in the supplied object.
Tune around sequences rather than single events: visit to web content, script or redirect behavior, vulnerable browser/plugin posture, exploit symptoms, and follow-on execution or token activity.
Prioritize high-value users and communities that commonly browse shared industry, government, regional, or mission-specific sites, because the description includes watering-hole style targeting.
Account for false positives from normal advertising, redirects, and rich web content; require context such as patch exposure, suspicious destination reputation, exploit-like behavior, or post-visit device changes.
Identify blind spots where mobile browsing is not routed through observable controls, where iOS/Android endpoint telemetry is sparse, or where personal/unmanaged devices access enterprise resources.

Mitigation priorities

Implement the related mitigation M1001: install security updates in response to discovered vulnerabilities.
Prefer mobile devices and carriers/vendors with a prompt security-update commitment for a defined support period.
Decommission devices that no longer receive security updates.
Limit or block enterprise access from devices that have not installed recent security updates; for Android, use security patch level where available.
Use mobile access policy, MDM/enterprise mobility, and incident response procedures to make patch posture enforceable rather than advisory.

Analyst notes and limits

The object is a mobile ATT&CK technique for Android and iOS. Tactics are not specified in the supplied fields. ATT&CK relationships include one detection strategy, one mitigation, a revoked predecessor technique, and several campaign/software uses, including C0033, Pegasus for iOS, YiSpecter, Stealth Mango, INSOMNIA, and LightSpy. These relationships justify treating T1456 as relevant to mobile threat intelligence and high-risk user protection, but local telemetry is required to determine exposure or coverage.

Official detection text is not provided, and the related DET0614 strategy details were not supplied. The object describes possible delivery paths and process flow but does not establish that any specific organization is targeted or that any named software is active in an environment. Defensive conclusions should be validated against local mobile device inventory, patch status, browsing telemetry, access-control policy, and IR collection capability.

Official MITRE ATT&CK definition

Drive-By Compromise

Multiple ways of delivering exploit code to a browser exist, including:

Typical drive-by compromise process:

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Mobile	—	Malicious Media Content	Malicious Media Content revoked by this object.

Associated objects

Groups, software, and campaigns

S0289: Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.[1][2] The Android version is tracked separately under Pegasus for Android.

iOS

S1185: LightSpy

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]

AndroidWindowsiOS

S0311: YiSpecter

YiSpecter is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. YiSpecter abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.[1]

AndroidiOS

S0328: Stealth Mango

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

Android

S0463: INSOMNIA

INSOMNIA is spyware that has been used by the group Evil Eye.[1]

iOS

C0033: C0033

C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]

Relationship explorer

All related ATT&CK context

uses · Campaign C0033: C0033 Mobile mitigates · Mitigation M1001: Security Updates Mobile uses · Malware S0289: Pegasus for iOS Mobile uses · Malware S1185: LightSpy Mobile revoked by · Technique Malicious Media Content Mobile detects · Detection Strategy DET0614: Detection of Drive-By Compromise Mobile uses · Malware S0311: YiSpecter Mobile uses · Malware S0328: Stealth Mango Mobile uses · Malware S0463: INSOMNIA Mobile

Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.2
Created: Oct 25, 2017, 14:48 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: 6ca18d4da0e622fb...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.2	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`6ca18d4da0e6…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Lookout-StealthMango

Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
Open source URL
[2]
NIST Mobile Threat Catalogue CEL-22
Open source URL
[3]
mitre-attack T1456
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use