T1496.003: SMS Pumping

Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.[1] SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.[2]

Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.[1][3] In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.[1]

EnterpriseT1496.003Sub-techniqueObject v1.0 Modified Apr 15, 2025, 23:02 UTC (UTC+00:00)

SMS Pumping turns ordinary SMS verification or OTP workflows into a business-cost and availability problem. An adversary can drive large volumes of messages through a SaaS-backed messaging path so the victim pays increased SMS fees and legitimate communication channels may be overwhelmed. For leaders, the key issue is not only fraud loss; it is whether customer signup, account recovery, verification, and notification processes can be abused faster than the organization can detect, throttle, and respond.

Executive priority

Treat this as an impact and resource-hijacking risk for any SaaS application that sends SMS through public forms or account verification flows. Executives should ask who owns SMS spend monitoring, abuse response, and customer-impact decisions when message volume spikes. Security, engineering, fraud, and finance teams need shared thresholds and evidence so cost anomalies, degraded verification workflows, and incident response actions can be justified for resilience and audit purposes.

Technical view

ATT&CK identifies this as a SaaS sub-technique of Resource Hijacking under the Impact tactic. Because the official technique has no ATT&CK-provided detection text, validation should be anchored to the related detection strategy, DET0156, for SMS pumping via SaaS application logs. SOC and detection teams should confirm they can correlate application events from OTP, account verification, and public web forms with messaging-service activity, destination phone-number patterns, request rates, error responses, and billing or usage anomalies. IR teams should also validate escalation paths for disabling, throttling, or challenging abusive SMS-generating flows without unnecessarily breaking legitimate account access.

Likely telemetry

SaaS application logs for public web forms, OTP requests, account verification, signup, and account recovery flows
Messaging-service logs or usage records for SMS send attempts, destinations, delivery status, and volume changes
Billing, cost, or quota telemetry tied to SMS messaging services
Web request metadata associated with SMS-triggering endpoints, including request rates and source characteristics where collected
Authentication or identity workflow logs for verification-code generation and validation outcomes

Detection direction

Validate DET0156-style monitoring against SaaS application logs for SMS-generating workflows rather than relying only on generic infrastructure alerts.
Baseline normal SMS request volume by application flow, geography or destination patterns where available, time of day, and campaign or business events to reduce false positives.
Tune for rapid increases in SMS sends, repeated OTP or verification requests, unusual destination concentration, high send-to-success imbalance, and cost or quota spikes.
Correlate application-layer events with messaging-provider usage and billing records; either source alone may miss the business impact or the triggering user journey.
Account for legitimate spikes from product launches, marketing campaigns, outages, or customer migrations before escalating as malicious activity.

Mitigation priorities

Apply application developer guidance to SMS-triggering workflows: design abuse resistance into OTP, signup, account recovery, and verification paths.
Prioritize rate limits, friction, validation, and workflow controls around public forms that can generate SMS traffic.
Set spend, quota, and volume thresholds with clear owners for security, engineering, finance, and service operations.
Build response playbooks for throttling or temporarily changing SMS verification behavior while preserving legitimate customer access where possible.
Review logging and retention requirements so incidents can be investigated with application, messaging-service, and billing evidence.

Analyst notes and limits

The supplied ATT&CK object is new in version 1.0 and focuses on SaaS-hosted SMS abuse as an impact technique. The most useful relationship context is its parent, T1496 Resource Hijacking, and the related detection strategy DET0156. The mitigation relationship points to Application Developer Guidance, so defensive emphasis should be on secure application design and operational guardrails for SMS-generating features.

The official ATT&CK detection field is not provided, and the supplied data does not establish specific adversary groups, active exploitation, affected vendors beyond cited examples, or guaranteed detection methods. Local application architecture, messaging-provider configuration, logging coverage, and business SMS usage patterns are required to assess exposure and detection quality.

Official MITRE ATT&CK definition

SMS Pumping

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1496	Resource Hijacking	This object subtechnique of Resource Hijacking.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1013: Application Developer Guidance Enterprise detects · Detection Strategy DET0156: Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs Enterprise subtechnique of · Technique T1496: Resource Hijacking Enterprise

Mitigations

Mitigation direction

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Sep 25, 2024, 13:53 UTC (UTC+00:00)
Modified: Apr 15, 2025, 23:02 UTC (UTC+00:00)
Raw hash: 9100934bcfbac15d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 15, 2025, 23:02 UTC (UTC+00:00)	Current bundle	`9100934bcfba…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Twilio SMS Pumping

Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to Stop It. Retrieved September 25, 2024.
Open source URL
[2]
Twilio SMS Pumping Fraud

Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September 25, 2024.
Open source URL
[3]
AWS RE:Inforce Threat Detection 2024

Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
Open source URL
[4]
mitre-attack T1496.003
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use