AN0149: Analytic 0149
Abnormal Apple Mail use, including internal email relays followed by file execution or script events (e.g., attachments launched via Preview, terminal triggered from Mail.app)
Analyst context for executives and security teams
This analytic is about spotting suspicious Apple Mail activity on macOS where email handling is followed by file execution or script-related events, such as an attachment opening through Preview or Terminal activity triggered from Mail.app. For leaders, the value is not the mail client itself; it is whether the organization can connect email-originated activity to subsequent endpoint execution quickly enough to support containment and incident decisions.
Executive priority
Prioritize this where macOS systems are used by executives, developers, administrators, or other high-value users. The business question is whether email security, endpoint telemetry, and SOC workflows can prove when a message or attachment led to execution on a Mac. This matters for incident triage, user risk decisions, audit evidence around endpoint monitoring, and resilience against email-originated intrusion paths. Because ATT&CK provides no detection logic or relationship context here, this should be treated as a validation target rather than evidence of existing coverage.
Technical view
For macOS detection engineering and IR, validate whether telemetry can correlate Apple Mail activity with follow-on process, file, and script events. The supplied analytic specifically points to abnormal Apple Mail use, internal email relays, attachments launched via Preview, and terminal activity triggered from Mail.app. Teams should test whether parent/child process lineage, file open events, attachment paths, scripting events, and mail client activity are retained and searchable with enough context to distinguish normal user behavior from suspicious email-to-execution chains.
Likely telemetry
- macOS endpoint process creation and parent/child process lineage
- Apple Mail application activity where available
- File open or execution events for mail-delivered attachments
- Preview.app launch activity associated with files opened from Mail.app
- Terminal or script execution events with ancestry linked to Mail.app
Detection direction
- Validate correlation from Mail.app to Preview.app, Terminal, shell, or script execution rather than alerting on Apple Mail use alone.
- Tune for unusual execution chains following email activity, with attention to user role, host baseline, attachment type, and timing.
- Confirm whether internal email relay context is visible to the SOC; many environments separate mail gateway, endpoint, and identity logs.
- Expect false positives from legitimate attachment review, document previewing, and user-initiated terminal work; prioritize ancestry, file origin, and rarity.
- Because no official detection logic is provided, document local analytic assumptions, required fields, and known blind spots.
Mitigation priorities
- Ensure managed macOS endpoints produce reliable process, file, and user telemetry for SOC and IR use.
- Harden email attachment handling and user-facing controls where policy allows, especially for high-value macOS users.
- Review whether endpoint controls can restrict or alert on risky script or terminal execution initiated from user applications.
- Integrate email, endpoint, and identity evidence so responders can trace from message receipt to local execution.
- Use tabletop or purple-team validation to confirm analysts can investigate Apple Mail-to-execution scenarios without relying on unsupported assumptions.
Analyst notes and limits
The ATT&CK object is a detection analytic for macOS only. It describes abnormal Apple Mail use involving internal email relays followed by file execution or script events. No tactics, relationships, aliases, labels, or official detection procedure were supplied, so the take focuses on defensive validation and telemetry readiness.
This summary is limited to the supplied STIX fields and external reference. It does not establish adversary attribution, active exploitation, prevalence, impact, or guaranteed detectability. Local macOS logging configuration, mail architecture, EDR coverage, and retention will determine whether this analytic can be implemented effectively.
Analytic 0149
Abnormal Apple Mail use, including internal email relays followed by file execution or script events (e.g., attachments launched via Preview, terminal triggered from Mail.app)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 56fdaed9be41… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0149Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.