T1496.003

SMS Pumping

Adversaries may leverage messaging services for SMS pumping, a telecommunications fraud technique where the attacker first obtains a block of phone numbers from a carrier, then abuses a victim's SMS infrastructure to generate large volumes of messages to those numbers. The adversary earns per-message payments from the carrier proportional to traffic volume. Attack vectors typically target public-facing web forms — OTP verification, account confirmation, password reset — backed by services such as Twilio, AWS SNS, or Amazon Cognito. Indicators include a spike in SMS API calls from a small set of source IPs, sequential or numerically adjacent destination phone numbers, destination numbers concentrated in high-fraud carrier prefixes, and a sharp increase in SMS-related cloud spend. Unlike volumetric DoS, SMS pumping is financially motivated: the attacker profits directly from the victim's messaging bill.

Microsoft Sentinel / Defender

kusto

let SMSFormThreshold = 50;
let OTPPatterns = dynamic(["otp", "verify", "verification", "confirm", "sms", "phone", "mobile", "2fa", "mfa", "passcode", "one-time", "send-code"]);
// Branch 1: Application Insights — spike in requests to OTP/phone-verification endpoints
let Branch1 = AppRequests
| where TimeGenerated > ago(1h)
| where Url has_any (OTPPatterns) or Name has_any (OTPPatterns)
| where ResultCode == "200" or ResultCode == "429"
| summarize
    RequestCount = count(),
    SuccessCount = countif(ResultCode == "200"),
    ThrottledCount = countif(ResultCode == "429"),
    UniqueURLs = dcount(Url),
    SampleURL = any(Url)
    by bin(TimeGenerated, 5m), ClientIP, AppRoleName
| where RequestCount >= SMSFormThreshold
| extend DetectionSource = "AppRequests-OTPSpike"
| project TimeGenerated, SourceIP = ClientIP, Service = AppRoleName, RequestCount, UniqueTargets = UniqueURLs, DetectionSource;
// Branch 2: Azure Communication Services diagnostics — abnormal SMS send volume
let Branch2 = AzureDiagnostics
| where TimeGenerated > ago(1h)
| where ResourceType =~ "MICROSOFT.COMMUNICATION/COMMUNICATIONSERVICES"
| where OperationName =~ "SmsSend" or OperationName =~ "SmsDelivery"
| extend RecipientPhone = tostring(column_ifexists("recipientPhoneNumber_s", ""))
| summarize
    RequestCount = count(),
    UniqueTargets = dcount(RecipientPhone),
    FailedCount = countif(ResultType =~ "Failed")
    by bin(TimeGenerated, 5m), SourceIP = tostring(callerIpAddress_s), Service = ResourceGroup
| where RequestCount > 100
| extend DetectionSource = "AzureDiagnostics-SMSSpike";
// Combine detection branches
union Branch1, Branch2
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Application: Application Logs Cloud Service: Cloud Service Modification Network Traffic: Network Traffic Flow Microsoft Azure Application Insights Azure Communication Services Diagnostics

Required Tables

AppRequests AzureDiagnostics

False Positives

Legitimate bulk SMS marketing or promotional campaigns sending high volume through the same Communication Services resource
Load testing or security testing of OTP endpoints by internal teams without prior SOC notification
A viral product launch or viral marketing event driving a legitimate spike in new-user OTP verification requests
Misconfigured health-check or synthetic monitoring scripts repeatedly hitting verification form endpoints

Splunk

spl

// Branch 1: AWS CloudTrail — SNS Publish to E.164 phone numbers at high volume
(index=aws sourcetype="aws:cloudtrail" eventSource="sns.amazonaws.com" eventName="Publish"
| spath input=requestParameters output=phoneNumber path=phoneNumber
| where isnotnull(phoneNumber) AND match(phoneNumber, "^\+")
| spath output=userArn path=userIdentity.arn
| bucket _time span=5m
| stats
    count as SMSSendCount,
    dc(phoneNumber) as UniquePhoneNumbers,
    values(sourceIPAddress) as SourceIPs,
    values(userAgent) as UserAgents
    by _time, awsRegion, userArn
| where SMSSendCount > 100
| eval DetectionBranch="SNS-Publish-Spike"
| eval RiskScore=case(SMSSendCount > 500, "Critical", SMSSendCount > 200, "High", 1==1, "Medium")
| table _time, DetectionBranch, RiskScore, SMSSendCount, UniquePhoneNumbers, SourceIPs, awsRegion, userArn)
| append [
  search index=aws sourcetype="aws:cloudtrail" eventSource="cognito-idp.amazonaws.com"
    (eventName="GetUserAttributeVerificationCode" OR eventName="ResendConfirmationCode" OR eventName="ForgotPassword" OR eventName="InitiateAuth")
  | spath output=userArn path=userIdentity.arn
  | bucket _time span=5m
  | stats
      count as SMSSendCount,
      dc(sourceIPAddress) as UniqueIPs,
      values(sourceIPAddress) as SourceIPs,
      dc(requestParameters.username) as UniqueUsernames
      by _time, eventName, awsRegion
  | where SMSSendCount > 50 AND UniqueIPs < 5
  | eval DetectionBranch="Cognito-OTP-Abuse", RiskScore="High"
  | table _time, DetectionBranch, RiskScore, SMSSendCount, UniqueIPs, SourceIPs, awsRegion, eventName
]
| sort - _time

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Application: Application Logs AWS CloudTrail Amazon SNS Amazon Cognito

Required Sourcetypes

aws:cloudtrail

False Positives

Legitimate bulk transactional SMS campaigns (order confirmations, shipping notifications) sending high volume through SNS from a known IAM role
Automated integration or regression test pipelines that exercise Cognito authentication and OTP flows against production user pools
A product launch or viral event causing a legitimate spike in new-user account verification and OTP requests
Internal DevOps pipelines using service accounts with SNS:Publish permissions for application notification delivery

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=5m
  [network where
    event.category == "network" and
    network.protocol in ("http", "https") and
    http.request.method in ("POST", "GET") and
    (
      url.path : (
        "*/otp*", "*/verify*", "*/verification*", "*/confirm*",
        "*/sms*", "*/phone*", "*/mobile*", "*/2fa*", "*/mfa*",
        "*/passcode*", "*/send-code*", "*/send_code*"
      ) or
      url.query : ("*phone*", "*mobile*", "*otp*", "*verify*") or
      url.original : (
        "*twilio.com*", "*sns.amazonaws.com*", "*vonage.com*",
        "*plivo.com*", "*telnyx.com*", "*messagebird.com*"
      )
    ) and
    http.response.status_code in (200, 400, 422, 429)
  ] with runs=50

high severity medium confidence

Data Sources

Packetbeat network traffic monitoring (HTTP/HTTPS inspection) AWS CloudTrail via Filebeat AWS module (logs-aws.cloudtrail-*) Nginx or Apache access logs via Filebeat (logs-nginx.access-* / logs-apache.access-*) Elastic APM server-side transaction traces (traces-apm*) Azure Diagnostics via Filebeat Azure module

Required Tables

logs-network_traffic.http-* logs-aws.cloudtrail-* logs-nginx.access-* logs-*-*

False Positives

Load testing or QA automation suites (e.g., k6, Gatling, JMeter) hammering OTP or phone-verification endpoints from a fixed runner IP — coordinate with engineering to whitelist known test source IPs or suppress during scheduled test windows
High-traffic consumer applications where a promotional event or product launch causes a genuine burst of OTP requests from many real users sharing a corporate NAT or cloud egress IP, breaching the per-IP threshold even though individual user activity is benign
Automated uptime monitors or synthetic transaction scripts (e.g., Datadog Synthetics, Checkly) that invoke the full OTP verification flow on a short polling interval to verify end-to-end SMS delivery health
Enterprise SSO or identity provider migration jobs that batch-re-verify phone numbers for large user populations and route all traffic through a single service account IP

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm') AS TimeWindow,
  sourceip AS SourceIP,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  COUNT(*) AS RequestCount,
  COUNT(DISTINCT username) AS UniqueUsers,
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  starttime > (NOW() - 3600000)
  AND (
    QIDNAME(qid) ILIKE '%SNS%Publish%'
    OR QIDNAME(qid) ILIKE '%SmsSend%'
    OR QIDNAME(qid) ILIKE '%SmsDelivery%'
    OR QIDNAME(qid) ILIKE '%GetUserAttributeVerificationCode%'
    OR QIDNAME(qid) ILIKE '%ResendConfirmationCode%'
    OR QIDNAME(qid) ILIKE '%ForgotPassword%'
    OR QIDNAME(qid) ILIKE '%InitiateAuth%'
    OR UTF8(payload) ILIKE '%"phoneNumber"%'
    OR UTF8(payload) ILIKE '%"phone_number"%'
    OR (
      CATEGORYNAME(category) ILIKE '%Authentication%'
      AND UTF8(payload) ILIKE '%otp%'
    )
    OR (
      CATEGORYNAME(category) ILIKE '%Web%'
      AND (
        UTF8(payload) ILIKE '%/otp%'
        OR UTF8(payload) ILIKE '%/verify%'
        OR UTF8(payload) ILIKE '%/2fa%'
        OR UTF8(payload) ILIKE '%/mfa%'
        OR UTF8(payload) ILIKE '%send-code%'
        OR UTF8(payload) ILIKE '%send_code%'
      )
    )
  )
GROUP BY
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm'),
  sourceip,
  LOGSOURCENAME(logsourceid),
  QIDNAME(qid),
  CATEGORYNAME(category)
HAVING COUNT(*) > 50
ORDER BY RequestCount DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

AWS CloudTrail via QRadar AWS CloudTrail DSM Azure Diagnostics via QRadar Microsoft Azure DSM Web Application Firewall logs via QRadar Custom DSM or supported WAF DSM Application server syslog or JSON logs normalized via Custom Log Source Extension Twilio event webhooks forwarded to QRadar via syslog or HTTP receiver

Required Tables

events

False Positives

Bulk SMS marketing platforms (e.g., Klaviyo, Attentive) that route high-volume promotional message sends through a shared API gateway IP will breach the per-IP threshold even though the traffic is legitimate — create a whitelist offense rule suppression for known marketing automation source IPs
Multi-tenant SaaS applications where all customer traffic egresses through a shared NAT IP, causing legitimate aggregate OTP volumes from many customers to appear as a single high-rate source
Poorly configured application retry logic that resends OTP requests aggressively on transient failures (e.g., retrying 10 times per user within seconds), generating disproportionately high event counts from a single service IP
Disaster recovery drills or business continuity tests that exercise OTP and MFA flows for large employee populations simultaneously, creating a short-duration spike that triggers the threshold

Sumo Logic CSE

sql

_index=sec_record
| where metadata_vendor in ("Amazon Web Services", "Microsoft Azure", "Twilio", "Vonage", "Plivo")
  or metadata_product in ("CloudTrail", "AzureDiagnostics", "SNS", "Cognito")
| where (
    action in (
      "Publish", "GetUserAttributeVerificationCode",
      "ResendConfirmationCode", "ForgotPassword",
      "InitiateAuth", "SmsSend", "SmsDelivery"
    )
    or http_url matches /(otp|verify|verification|confirm|sms|phone|mobile|2fa|mfa|passcode|send[-_]code)/i
  )
| where isNull(http_response_statusCode)
  or http_response_statusCode in ("200", "400", "422", "429")
| timeslice 5m
| count by _timeslice, srcDevice_ip, action, metadata_vendor
| where _count > 50
| sort by _count desc
| fields
    _timeslice as TimeWindow,
    srcDevice_ip as SourceIP,
    action as EventAction,
    metadata_vendor as Vendor,
    _count as RequestCount

high severity medium confidence

Data Sources

AWS CloudTrail via Sumo Logic AWS CloudTrail App or HTTP source Azure Diagnostics via Sumo Logic Azure Monitor Logs integration Twilio or Vonage event webhooks forwarded to a Sumo Logic HTTP source Web application access logs normalized to CSE via a Sumo Logic log mapper

Required Tables

_index=sec_record (Sumo Logic Cloud SIEM Enterprise normalized events index)

False Positives

Corporate NAT or cloud egress gateways that aggregate legitimate employee OTP requests from many internal users, causing the shared source IP to exceed per-IP thresholds even though individual user behavior is normal — segment by department or subnet if possible
CI/CD pipeline runners with static IPs executing end-to-end phone verification integration tests against production or staging environments as part of nightly test suites
Legitimate bulk SMS service resellers or ISVs whose outbound traffic is ingested into the same SIEM tenant and whose normal operating volume surpasses the detection threshold
Rapid customer onboarding waves (e.g., post-marketing event) where a genuine burst of new user registrations requiring phone verification occurs within a short window, creating a natural spike that mirrors the attack pattern

Google Chronicle / SecOps

yaral

rule sms_pumping_otp_flood_t1496_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1496.003 SMS Pumping via high-volume OTP or phone-verification HTTP requests from a single source IP within a 5-minute window, and abuse of cloud SMS provider API endpoints (Twilio, AWS SNS, Vonage, Plivo)."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    platform = "cloud"
    created = "2025-01-01"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.principal.ip != ""
    (
      re.regex($req.target.url, `(?i)/(otp|verify|verification|confirm|sms|phone|mobile|2fa|mfa|passcode|send[-_]code)`) or
      re.regex($req.target.url, `(?i)(twilio\.com|sns\.amazonaws\.com|nexmo\.com|vonage\.com|plivo\.com|telnyx\.com|messagebird\.com|infobip\.com)`)
    )
    $ip = $req.principal.ip

  match:
    $ip over 5m

  outcome:
    $request_count = count_distinct($req.metadata.id)
    $unique_urls = count_distinct($req.target.url)
    $risk_score = if(#req > 500, 95, if(#req > 200, 80, 65))

  condition:
    #req > 50
}

high severity medium confidence

Data Sources

Google Cloud HTTP(S) Load Balancer logs ingested as UDM NETWORK_HTTP events AWS CloudTrail ingested via Chronicle AWS log ingestion pipeline Nginx or Apache access logs forwarded via Chronicle forwarder and normalized to NETWORK_HTTP Web Application Firewall logs (Cloud Armor, Fastly, Cloudflare) normalized to UDM

Required Tables

NETWORK_HTTP (Chronicle UDM event type)

False Positives

Shared corporate or cloud NAT egress IPs through which many legitimate users generate OTP requests concurrently, causing per-IP aggregation to breach the threshold even though no individual user is abusing the service
Continuous integration runners executing automated end-to-end phone verification tests against production infrastructure from a fixed, known CI IP address — suppress via a reference list exclusion on principal.ip
Mobile backend servers issuing batch OTP verifications during a scheduled user re-enrollment or device migration campaign that processes many accounts within a short window
Authorized red team or penetration testing exercises targeting OTP and MFA endpoints — coordinate exercise windows and suppress via principal.ip reference list exclusion

CrowdStrike LogScale (CQL)

cql

// Branch 1: High-frequency DNS lookups to SMS provider API domains (primary signal)
(#event_simpleName = "DnsRequest"
| DomainName = /(?i)(api\.twilio\.com|sns\.amazonaws\.com|rest\.nexmo\.com|api\.vonage\.com|api\.plivo\.com|messaging\.bandwidth\.com|api\.telnyx\.com|rest\.messagebird\.com|eu\.api\.sinch\.com|api\.infobip\.com)/
| groupBy(
    [aid, ComputerName, DomainName],
    function=[
      count(as=EventCount),
      dc(ContextProcessId, as=UniqueProcesses),
      collect(FileName, limit=10),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen)
    ]
  )
| where EventCount > 50
| eval DetectionBranch = "DNSLookup-SMSProvider"
| eval RiskScore = if(EventCount > 1000, "Critical", if(EventCount > 500, "High", "Medium")))
| union [
// Branch 2: High-volume outbound TCP connections from application processes
  #event_simpleName = "NetworkConnectIP4"
  | RemotePort in [443, 80, 8443]
  | TargetProcessName = /(?i)\.(exe|py|rb|js|jar|sh|php)$/
  | groupBy(
      [aid, ComputerName, RemoteAddressIP4, TargetProcessName],
      function=[
        count(as=EventCount),
        dc(RemotePort, as=UniquePorts),
        min(ContextTimeStamp, as=FirstSeen),
        max(ContextTimeStamp, as=LastSeen)
      ]
    )
  | where EventCount > 200
  | eval DetectionBranch = "NetworkConnect-HighVolumeHTTPS"
  | eval RiskScore = if(EventCount > 2000, "Critical", if(EventCount > 1000, "High", "Medium"))
]
| sort(EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor DnsRequest events (#event_simpleName=DnsRequest) CrowdStrike Falcon Sensor NetworkConnectIP4 events (#event_simpleName=NetworkConnectIP4) CrowdStrike Falcon Sensor ProcessRollup2 events for process context enrichment

Required Tables

DnsRequest (#event_simpleName) NetworkConnectIP4 (#event_simpleName)

False Positives

Application servers running legitimate notification services (e.g., a Node.js backend sending transactional SMS for e-commerce orders) will generate sustained high DNS lookup volumes to Twilio or SNS — establish per-ComputerName baselines and tune the EventCount threshold or exclude known application server AIDs via a suppression list
Security scanning or asset discovery tools that enumerate cloud API endpoints and generate DNS lookups as a side effect of HTTP fingerprinting modules during authorized scanning windows
Microservice health-check frameworks (e.g., Consul, Kubernetes liveness probes) that repeatedly resolve SMS provider hostnames to verify DNS reachability as part of dependency readiness checks, producing steady low-rate lookup volumes that briefly spike during pod restarts
CI/CD pipeline agents running integration tests that invoke live SMS provider APIs against test-mode credentials during automated build pipelines, generating repeated lookups from the same agent host

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1496.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1496Resource Hijacking

Related Sub-techniques

T1496.001Compute Hijacking T1496.002Bandwidth Hijacking T1496.004Cloud Service Hijacking

SMS Pumping

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections