AN0180: Analytic 0180
Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag.
Analyst context for executives and security teams
This analytic matters because it connects a user-initiated URL event on macOS to a network connection and the arrival of a quarantined file. For leaders, the value is not just detecting a download; it is validating whether the organization can reconstruct the early chain of a potentially risky file-delivery event from endpoint, network, and macOS quarantine evidence.
Executive priority
Prioritize this as a coverage-validation item for macOS fleets, especially where Safari, Chrome, Firefox, or Office are common business applications. It supports incident triage and compliance evidence by showing whether teams can answer: who opened a URL, what external destination was contacted, what file appeared, and whether macOS quarantine metadata was preserved. The business decision is whether current logging and SOC workflows can reliably connect those facts before an investigation depends on them.
Technical view
For SOC and detection engineering teams, validate a behavioral chain on macOS: application URL handling by Safari, Chrome, Firefox, or Office; unified log evidence of open/click activity or LSQuarantine assignment; outbound connection to an untrusted domain; and creation of a new file in ~/Downloads or /private/var/folders/* with a quarantine flag. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic for macOS event correlation rather than a complete technique-level detection package.
Likely telemetry
- macOS unified logs showing URL open/click activity
- LSQuarantine assignment or quarantine metadata
- Browser and Office application activity on macOS
- Outbound network connection records with destination domain context
- File creation events in ~/Downloads
Detection direction
- Validate that endpoint logging preserves macOS unified log and LSQuarantine evidence long enough for investigation.
- Correlate URL-handling application activity, outbound domain connection, and new quarantined file creation in sequence rather than alerting on any single event alone.
- Define how the SOC determines whether a domain is untrusted, since that judgment is not specified in the ATT&CK object.
- Tune for common legitimate downloads from browsers and Office-linked workflows to reduce false positives.
- Check blind spots around incomplete browser telemetry, missing unified logs, absent file metadata, and temporary-folder downloads under /private/var/folders/*.
Mitigation priorities
- Ensure macOS endpoint telemetry collection includes unified logs, file creation paths, and quarantine metadata.
- Maintain network visibility sufficient to associate outbound connections with endpoint and process context where available.
- Establish a defensible process for classifying untrusted domains and documenting that logic for SOC and audit use.
- Preserve relevant endpoint and network evidence for incident response so URL, domain, and file artifacts can be reconstructed.
- Review user-facing download and attachment-handling controls for browsers and Office, while avoiding assumptions that any single control guarantees prevention.
Analyst notes and limits
This is best used as a practical coverage test: can defenders connect a URL-handling event to an outbound connection and a quarantined file on macOS? The supplied object provides a concrete behavioral chain but does not provide an official detection query, tactic mapping, technique relationship, adversary relationship, or mitigation mapping.
The ATT&CK object has no official detection text beyond the description, no tactics, and no relationship context. It does not support claims about active exploitation, attribution, impact, or detection effectiveness. Local environment data is required to determine what counts as an untrusted domain and whether the needed macOS telemetry is collected.
Analytic 0180
Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7c3ab98216ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0180Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.