title: SMS Pumping (T1496.003)
id: df00tech-t1496-003
status: experimental
description: "Adversaries may leverage messaging services for SMS pumping, a telecommunications fraud technique where the attacker first obtains a block of phone numbers from a carrier, then abuses a victim's SMS infrastructure to generate large volumes of messages to those numbers. The adversary earns per-message payments from the carrier proportional to traffic volume. Attack vectors typically target public-facing web forms — OTP verification, account confirmation, password reset — backed by services such as Twilio, AWS SNS, or Amazon Cognito. Indicators include a spike in SMS API calls from a small set of source IPs, sequential or numerically adjacent destination phone numbers, destination numbers concentrated in high-fraud carrier prefixes, and a sharp increase in SMS-related cloud spend. Unlike volumetric DoS, SMS pumping is financially motivated: the attacker profits directly from the victim's messaging bill."
references:
  - https://attack.mitre.org/techniques/T1496/003/
  - https://df00tech.com/detections/T1496.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1496.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate bulk SMS marketing or promotional campaigns sending high volume through the same Communication Services resource
  - Load testing or security testing of OTP endpoints by internal teams without prior SOC notification
  - A viral product launch or viral marketing event driving a legitimate spike in new-user OTP verification requests
  - Misconfigured health-check or synthetic monitoring scripts repeatedly hitting verification form endpoints
level: high