What starting position does this attack require?

The first step is Replay captured OTP for SaaS / banking ATO (W-MFA-BYPASS) — a credential access primitive. Assumed environment: target user's phone still allows 2G fallback (most carriers haven't disabled it).

What is the final impact of this kill-chain?

The final step lands on Force 2G fallback (5G-IMSI-CATCHER), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

IMSI catcher → force 2G downgrade → SMS / call intercept

Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Credential Access

Replay captured OTP for SaaS / banking ATO

W-MFA-BYPASS · MFA Bypass

Resource Development

Stand up rogue eNB / gNB (srsRAN / OsmocomBB)

T1583 · Acquire Infrastructure

Collection

Capture SMS / call traffic

T1056 · Input Capture

Initial Access

Higher transmit power lures victims

WIFI-EVIL-TWIN · Evil Twin / Rogue AP

Credential Access

Force 2G fallback

5G-IMSI-CATCHER · IMSI Catcher / Stingray

§ Context

Assumed environment: target user's phone still allows 2G fallback (most carriers haven't disabled it). Attacker has SDR / commercial IMSI catcher in physical range.

§ Steps

01
Replay captured OTP for SaaS / banking ATOCredential Access
W-MFA-BYPASS— MFA Bypass
02
Stand up rogue eNB / gNB (srsRAN / OsmocomBB)Resource Development
T1583— Acquire Infrastructure
03
Capture SMS / call trafficCollection
T1056— Input Capture
04
Higher transmit power lures victimsInitial Access
WIFI-EVIL-TWIN— Evil Twin / Rogue AP
05
Force 2G fallbackCredential Access
5G-IMSI-CATCHER— IMSI Catcher / Stingray

§ References

T1583Acquire Infrastructure
T1056Input Capture

§ Frequently asked

What is the "IMSI catcher → force 2G downgrade → SMS / call intercept" attack path?: Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Replay captured OTP for SaaS / banking ATO (W-MFA-BYPASS) — a credential access primitive. Assumed environment: target user's phone still allows 2G fallback (most carriers haven't disabled it).
What is the final impact of this kill-chain?: The final step lands on Force 2G fallback (5G-IMSI-CATCHER), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
Autodiscover external leak → credential harvest
Mis-implemented Autodiscover falls back to autodiscover.<TLD>; register that domain externally, harvest plaintext Basic-auth credentials from clients that haven't been patched / configured properly.

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Autodiscover external leak → credential harvest