AN0381: Analytic 0381
Detects email-sending behavior via Terminal, AppleScript, or Automator that interfaces with SMTP or IMAP, typically using curl or mail-related APIs in unsanctioned contexts.
Analyst context for executives and security teams
This analytic matters because it points to macOS systems sending email from places users and IT may not expect: Terminal, AppleScript, or Automator, using SMTP/IMAP tooling or mail-related APIs. For leaders, the decision value is whether the organization can distinguish approved automation from unsanctioned email activity on Macs, especially where email movement could affect investigations, compliance evidence, or data-handling controls.
Executive priority
Prioritize this where macOS endpoints are used by privileged users, developers, finance, legal, executives, or teams handling regulated data. The key business question is not just “can we detect curl or scripts,” but whether endpoint, email, and network evidence can prove when email-sending behavior is authorized, investigated, and contained. This supports SOC readiness, incident response scoping, and audit confidence around endpoint-originated communications.
Technical view
Validate visibility for macOS processes launched from Terminal, AppleScript, and Automator that interact with SMTP or IMAP destinations or mail-related APIs. Because ATT&CK provides no official detection logic for this analytic, detection engineers should build environment-specific criteria around process lineage, command context, destination protocol/service, script execution context, and allowlisted automation. Tactics are not specified for this object, so map local detections to internal use cases rather than assuming a specific ATT&CK tactic.
Likely telemetry
- macOS endpoint process creation and command-line telemetry
- Parent-child process relationships involving Terminal, AppleScript, and Automator
- Network connection telemetry for SMTP and IMAP destinations from macOS endpoints
- Script execution or automation activity records where available
- Email security or mail gateway logs showing client-originated SMTP/IMAP activity
Detection direction
- Confirm whether macOS endpoint telemetry captures command-line arguments and process lineage for Terminal, AppleScript, Automator, curl, and mail-related utilities or APIs.
- Correlate endpoint process activity with outbound SMTP/IMAP network connections rather than relying on process names alone.
- Create allowlists for approved mail automation and administrative workflows to reduce false positives.
- Watch for unsanctioned contexts: interactive shells, unexpected user accounts, unusual hosts, or endpoints that normally should not send mail directly.
- Validate coverage gaps for unmanaged Macs, privacy-restricted endpoint logs, encrypted network traffic, and mail activity that bypasses monitored gateways.
Mitigation priorities
- Define and document approved macOS email automation paths, owners, and expected systems.
- Restrict or monitor direct endpoint access to SMTP/IMAP where business requirements allow.
- Ensure managed macOS endpoints produce usable process, script, and network telemetry for SOC review.
- Review permissions and governance for AppleScript and Automator workflows in managed environments.
- Use incident response playbooks that preserve endpoint process evidence, user context, and email/network logs when unsanctioned mail-sending behavior is suspected.
Analyst notes and limits
This is a detection analytic object, not a technique object. The supplied ATT&CK data identifies macOS as the platform and describes email-sending behavior via Terminal, AppleScript, or Automator using SMTP/IMAP, curl, or mail-related APIs in unsanctioned contexts. No official detection procedure, tactics, labels, aliases, or relationship context were supplied.
The object does not provide a concrete detection query, tactic mapping, related techniques, adversary relationships, or validated data source requirements. Local baselining is required to distinguish legitimate automation from suspicious behavior. This take does not assert active exploitation, attribution, impact, or guaranteed coverage.
Analytic 0381
Detects email-sending behavior via Terminal, AppleScript, or Automator that interfaces with SMTP or IMAP, typically using curl or mail-related APIs in unsanctioned contexts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 57c2504aa3ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0381Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.