Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1640: Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.

MobileT1640TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Account Access Removal is a mobile Android technique where an adversary disrupts legitimate user access by deleting, locking, or changing accounts or credentials. For leaders, the practical issue is continuity: if mobile accounts are made unavailable, users may lose access to business apps, communications, or device-managed resources at the moment they are needed for operations or incident response.

Executive priority

Treat this as an availability and identity-resilience concern for Android mobile environments. Executives should ask whether the organization can quickly determine when account access has been removed or manipulated, restore legitimate access, and preserve evidence. Because ATT&CK provides no official detection text for this technique, priority should be on validating actual mobile identity, device-management, and help-desk evidence rather than assuming SOC coverage exists.

Technical view

SOC, IR, and mobile security teams should validate monitoring around Android account state changes, credential changes, account lockouts, deletions, and user reports of sudden access loss. The supplied ATT&CK relationship notes DET0605 as a detection strategy for this technique, but the official technique object does not include detection details, so teams need to map DET0605 and local telemetry to their own Android, identity, and mobile management environment. Relationship context also identifies Monokle as software that uses this technique, so threat intelligence workflows can use that association for context without assuming local exposure.

Likely telemetry

  • Android device account configuration and state-change records where available
  • Mobile device management or enterprise mobility management logs for account removal, lock, or configuration changes
  • Identity provider logs for credential changes, account disablement, lockout, or deletion affecting mobile users
  • Authentication failure and session invalidation events associated with affected accounts
  • Help-desk, user-reported access loss, and incident tickets correlated with technical logs

Detection direction

  • Validate whether DET0605 or equivalent internal analytics exist for account deletion, lockout, credential change, or access-removal patterns on Android.
  • Correlate mobile-side account changes with identity-provider and device-management events to distinguish user/admin activity from suspicious manipulation.
  • Tune for high-noise operational events such as legitimate password resets, administrator account lifecycle actions, device re-enrollment, and offboarding.
  • Check blind spots where personal or unmanaged Android devices, limited mobile logging, or fragmented identity systems prevent reliable reconstruction of account access changes.
  • Use the Monokle relationship as threat-intelligence context only; do not infer active compromise without local evidence.

Mitigation priorities

  • Prioritize user guidance, as ATT&CK maps mitigation M1011 to this technique, including clear reporting paths for unexpected account lockout, deletion, or credential changes.
  • Ensure account recovery and mobile access restoration procedures are documented, tested, and available during incidents.
  • Review administrative processes for account removal and credential changes so legitimate actions are auditable and distinguishable from suspicious activity.
  • Confirm mobile security, identity, and help-desk teams share escalation criteria for sudden loss of account access on Android devices.
Analyst notes and limits

This technique is material because it targets access availability rather than only confidentiality. The object is in the mobile ATT&CK domain and lists Android as the supported platform. Tactics are not specified in the supplied object, and the official detection field is not provided. Relationship context includes DET0605 as a detection strategy, M1011 User Guidance as mitigation, and S0407 Monokle as software using the technique.

Assessment depends heavily on local Android management, identity-provider logging, and help-desk data. The supplied ATT&CK fields do not provide detailed detection logic, tactic mapping, impact scope, or control implementation steps, so conclusions should be validated against the organization’s own telemetry and account administration workflows.

Official MITRE ATT&CK definition

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0407: Monokle Mobile mitigates · Mitigation M1011: User Guidance Mobile detects · Detection Strategy DET0605: Detection of Account Access Removal Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
7871b885df83687d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 7871b885df83…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T1640
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use