AN0322: Analytic 0322
Phishing attempts via iCloud Mail, Gmail, or social media apps accessed on macOS systems. Defender view includes Mail.app or Safari downloads of files followed by osascript, Terminal, or abnormal child process execution.
Analyst context for executives and security teams
This analytic matters because it focuses on a common business entry point: users interacting with mail, webmail, or social apps on macOS and then opening downloaded content that leads to scripting or terminal activity. For leaders, the practical question is whether the organization can connect user-facing phishing delivery channels to endpoint process behavior quickly enough to support containment and incident decisions.
Executive priority
Prioritize this where macOS systems are used for privileged, executive, engineering, finance, or regulated workflows. The decision value is not just “detect phishing,” but proving that SOC and IR teams can trace a suspicious download from Mail.app or Safari into follow-on execution such as osascript, Terminal, or unusual child processes. This supports resilience, audit evidence for endpoint monitoring, and budget decisions around macOS visibility and response readiness.
Technical view
Validate macOS endpoint coverage for the described chain: file download activity from Mail.app or Safari associated with iCloud Mail, Gmail, or social media app usage, followed by osascript, Terminal, or abnormal child process execution. Because no official detection logic is provided, teams should build environment-specific baselines for normal Mail.app, Safari, Terminal, and osascript behavior, then alert on suspicious parent-child process relationships and recently downloaded files that precede script or shell execution.
Likely telemetry
- macOS endpoint process creation events, including parent-child process relationships
- File download or file creation events associated with Mail.app and Safari
- Command-line arguments for osascript, Terminal, and child processes where available
- Browser and mail client activity sufficient to correlate downloaded files to subsequent execution
- Endpoint user, host, timestamp, and file path metadata for investigation correlation
Detection direction
- Confirm that macOS process telemetry captures Mail.app or Safari spawning or leading to osascript, Terminal, or other abnormal child processes.
- Tune for sequences where a recently downloaded file is followed by scripting or terminal execution, rather than relying on a single process name alone.
- Baseline legitimate automation that uses osascript or Terminal to reduce false positives, especially for developers, administrators, and power users.
- Look for visibility gaps in webmail and social media access through Safari where mail gateway controls may not see the initial user interaction.
- Because no ATT&CK relationship context or official detection logic is supplied, validate detections against local macOS workflows before treating alerts as high confidence.
Mitigation priorities
- Ensure managed macOS endpoints provide process, file, and user context needed to reconstruct the download-to-execution chain.
- Harden handling of downloaded files and user-launched scripts according to organizational macOS policy and risk tolerance.
- Use phishing-resistant user processes and reporting workflows for mail, webmail, and social media access paths.
- Prepare IR playbooks for triaging macOS phishing leads, including collection of process trees, downloaded artifacts, user context, and timeline evidence.
- Review whether compliance evidence demonstrates monitoring of macOS endpoints, not only email gateway or Windows-focused controls.
Analyst notes and limits
The supplied object is a detection analytic for macOS and provides a defender view centered on Mail.app or Safari downloads followed by osascript, Terminal, or abnormal child process execution. It does not specify tactics, related techniques, adversaries, malware, campaigns, or a formal detection query.
Official detection content and relationship context were not provided. This take therefore avoids claims about active exploitation, attribution, impact, or guaranteed coverage. Local telemetry quality, macOS management posture, and normal user workflows will determine detection reliability.
Analytic 0322
Phishing attempts via iCloud Mail, Gmail, or social media apps accessed on macOS systems. Defender view includes Mail.app or Safari downloads of files followed by osascript, Terminal, or abnormal child process execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 95b20b86d8eb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0322Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.