AN0300: Analytic 0300
Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly.
Analyst context for executives and security teams
This analytic matters because it connects a common user workflow—opening an email link on macOS—to potentially risky browser activity and unexpected script or terminal execution. For leaders, the value is not “detecting phishing” in the abstract; it is validating whether the organization can see the chain from Mail.app to Safari or Chrome and then to local execution tools that could indicate a user-driven compromise path.
Executive priority
Prioritize this as a macOS endpoint and SOC-readiness validation item where Mail.app, Safari, Chrome, Terminal, or osascript are in business use. The key decision is whether current logging and detection operations can reconstruct email-to-browser-to-execution activity quickly enough to support incident triage, user containment, and compliance evidence after a suspected phishing event. If macOS telemetry is weaker than Windows telemetry, this analytic highlights a likely visibility gap.
Technical view
For SOC and detection engineering teams, validate correlation across macOS Mail.app logs, Safari and Chrome browsing activity, domain reputation or registration-age context, and process creation events involving osascript or Terminal. The supplied ATT&CK object does not provide a formal detection rule, tactic mapping, or relationships, so teams should treat this as a detection concept: identify sequences where an email link is followed by browser access to newly registered or lookalike domains and then unexpected spawning of osascript or Terminal.
Likely telemetry
- macOS endpoint process creation telemetry
- Parent-child process relationships involving browser processes, Terminal, and osascript
- Mail.app activity or email link interaction logs
- Safari browsing history or browser activity telemetry
- Chrome browsing history or browser activity telemetry
Detection direction
- Validate that Mail.app, Safari, Chrome, process creation, and network/domain telemetry can be joined by user, host, and time window.
- Tune for suspicious sequences rather than single events: email link activity followed by browser access to newly registered or lookalike domains, followed by osascript or Terminal execution.
- Establish baselines for legitimate macOS automation, developer workflows, IT administration, and power-user Terminal usage to reduce false positives.
- Confirm whether browser-to-Terminal or browser-to-osascript parent-child relationships are captured reliably on macOS endpoints.
- Document blind spots where Mail.app logs, browser history, DNS/proxy data, or macOS process telemetry are unavailable or not retained long enough for investigation.
Mitigation priorities
- Improve macOS endpoint logging coverage before relying on this analytic for operational detection.
- Ensure web and DNS controls can flag or enrich newly registered and lookalike domains used after email link clicks.
- Harden and monitor scripting and terminal execution paths on managed macOS systems according to business need.
- Use phishing response playbooks that include macOS-specific evidence collection from Mail.app, browsers, and endpoint process telemetry.
- Review retention and audit requirements so investigations can prove the email-to-browser-to-execution sequence when needed.
Analyst notes and limits
This object is a detection analytic for macOS only. It provides a useful behavioral correlation idea but no official detection logic, tactic mapping, or relationship context. Local implementation should be driven by available telemetry, normal macOS usage patterns, and the organization’s tolerance for alert volume.
The supplied ATT&CK fields do not include an official detection section, related techniques, mitigations, adversary use, or active exploitation context. Any claim about coverage, severity, attribution, or impact requires local evidence beyond this object.
Analytic 0300
Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d0f19efb7695… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0300Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.