DET0716: Detection of Linked Devices
DET0716 is a mobile ATT&CK detection strategy for identifying abuse of messaging-app “linked devices” features. The business issue is account continuity an...
Analyst context for executives and security teams
DET0716 is a mobile ATT&CK detection strategy for identifying abuse of messaging-app “linked devices” features. The business issue is account continuity and trust: if a user’s Signal or WhatsApp account is linked to an adversary-controlled device, messages, contacts, and the ability to send future messages may persist outside the user’s primary phone. Leaders should treat this as an identity and mobile-account control problem, not only an endpoint problem.
Executive priority
Prioritize this where mobile messaging is used for executive communications, incident coordination, legal matters, customer engagement, or operational decision-making. The key governance question is whether the organization can prove which devices are linked to sensitive messaging accounts, detect unexpected changes, and respond quickly enough to preserve communications integrity and audit evidence.
Technical view
The supplied ATT&CK object has no official description, detection text, tactics, or platforms of its own, but it detects mobile technique T1676, Linked Devices, associated with Android and iOS. SOC, IR, and mobile security teams should validate whether they can observe new or unusual linked-device registrations, account session changes, user-facing security notifications, and post-link activity such as message access or sending from a non-primary device. Because messaging applications may limit centralized visibility, detection should combine available app/account evidence, mobile device management evidence, user reporting paths, and incident-response procedures.
Likely telemetry
- Messaging application linked-device or active-session records, where accessible
- Account security notifications or user-visible alerts about newly linked devices
- Mobile device management or enterprise mobility inventory for managed Android and iOS devices
- Mobile application inventory and configuration state for approved messaging apps
- User reports of unexpected linked-device prompts, session changes, or sent messages
Detection direction
- Validate whether linked-device changes can be centrally logged or must be confirmed through user/device inspection.
- Baseline expected use of linked devices for high-risk users and investigate new, unknown, or geographically/operationally inconsistent links when evidence is available.
- Tune triage to distinguish legitimate device migrations, desktop companion use, and user-approved links from suspicious registrations.
- Include relationship-driven context: T1676 may support persistence in the messaging account and enable access to messages, contacts, and future message sending.
- Identify blind spots caused by personal devices, unmanaged messaging apps, limited app telemetry, encrypted messaging design, and lack of historical linked-device records.
Mitigation priorities
- Define policy for approved use of linked devices in sensitive messaging workflows.
- For managed mobile environments, maintain inventory of devices and approved messaging applications on Android and iOS.
- Create user-facing reporting and verification procedures for unexpected linked-device alerts or account session changes.
- Include linked-device review in mobile account recovery, executive protection, and incident-response playbooks.
- Where the application supports it, require periodic review and removal of unrecognized linked devices.
Analyst notes and limits
This take is based on ATT&CK detection strategy DET0716 and its relationship to technique T1676, Linked Devices. The source provides the related technique description but no official detection logic for DET0716, so recommended validation focuses on evidence classes and response readiness rather than specific analytics.
The detection strategy object does not specify platforms, tactics, official description, or official detection text. Android and iOS are supported only through the related T1676 technique. Local messaging-app capabilities, mobile management scope, account ownership model, and legal/privacy constraints will determine what telemetry is actually available.
Detection of Linked Devices
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1676 | Linked Devices | This object detects Linked Devices. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fde6d2d62c40… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0716Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.