AN0190: Analytic 0190
Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.
Analyst context for executives and security teams
AN0190 is a macOS-focused detection analytic for spotting phishing-driven activity that starts in Apple Mail and quickly leads to file or URL execution through applications such as Safari or Preview. Its business value is in validating whether the organization can see the early handoff from email interaction to endpoint execution, before an incident becomes a broader compromise investigation.
Executive priority
Prioritize this analytic where macOS endpoints are material to executive, developer, finance, legal, or other high-value workflows. The key management question is not simply whether phishing protection exists, but whether SOC and IR teams can prove they collect enough macOS telemetry to reconstruct email-to-execution behavior. This supports incident triage, audit evidence for endpoint monitoring, and control prioritization around phishing resilience on Apple platforms.
Technical view
For SOC, detection engineering, and IR teams, validate correlation between macOS Unified Logs, Apple Mail activity, attachment write events, URL or file launches, and subsequent process execution. The supplied ATT&CK object identifies anomalous Mail app activity such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Because no official detection logic or relationship context is supplied, teams should treat this as a detection design requirement rather than a ready-to-deploy rule.
Likely telemetry
- macOS Unified Logs related to Mail app activity
- Endpoint process execution telemetry on macOS
- File creation or save events for email attachments
- Application launch events involving Mail, Safari, Preview, and opened files or URLs
- Timestamps and parent/child or correlation context linking email interaction to subsequent execution
Detection direction
- Validate that macOS telemetry preserves enough timing and application context to correlate Mail activity with immediate file or URL execution.
- Tune around rapid sequences such as attachment saved to disk followed by execution, or Safari/Preview opening content linked from email messages.
- Account for benign user behavior, including legitimate attachment opening, document previewing, and normal browser launches from email.
- Identify blind spots where Unified Logs are not collected, endpoint process telemetry is incomplete, or Mail-to-process correlation is lost during normalization.
- Use this analytic as macOS-specific coverage validation; do not assume equivalent visibility on other platforms from this object.
Mitigation priorities
- Ensure macOS endpoint logging and collection are enabled before relying on this analytic for phishing detection.
- Harden email and endpoint workflows around attachment handling, URL opening, and execution from user-accessible download or mail-related locations.
- Confirm SOC playbooks include triage steps for email-originated process execution on macOS.
- Use detection validation results to guide phishing resilience priorities, endpoint monitoring investment, and incident response readiness.
- Document telemetry coverage and analytic assumptions as compliance or audit evidence where endpoint monitoring controls are assessed.
Analyst notes and limits
This object is a detection analytic, not an ATT&CK technique, and the supplied fields do not include tactics, related techniques, procedures, malware, groups, or mitigations. The most useful interpretation is as a macOS detection coverage objective for email-to-execution behavior associated with phishing workflows.
The official detection field is not provided, and no relationships are supplied. This take therefore avoids claiming specific detection logic, effectiveness, active exploitation, attribution, or non-macOS applicability. Local validation is required to determine whether Unified Logs, process execution data, and email attachment context are actually available and correlated in the environment.
Analytic 0190
Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 78cf591e9e49… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0190Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.