T1517: Access Notifications
Essential information
- MITRE technique ID
T1517- Confidence
- 100/100
- Revoked
- No
- Published
- 17/12/2025 22:47
- Modified
- 27/03/2026 01:41
- Author / Source
- The MITRE Corporation
Aliases
T1517
Platforms
android
Description
Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-mobile-attack | collection |
| mitre-mobile-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.