AN0653: Analytic 0653
Abnormal usage of Preview, ImageMagick, or binary editors to alter images/documents, followed by exfiltration or outbound connections with mismatched file MIME types or payload structure.
Analyst context for executives and security teams
This analytic matters because it points to a macOS data-handling pattern where images or documents are modified with tools such as Preview, ImageMagick, or binary editors and then sent outbound with file characteristics that do not match the claimed MIME type or expected structure. For leaders, the value is not assuming the tool use is malicious, but asking whether the organization can tell normal document/image workflows from suspicious file alteration followed by outbound transfer.
Executive priority
Prioritize this as a validation question for macOS visibility, data-loss monitoring, and incident readiness. It can support decisions about whether security teams have enough endpoint, network, and file-inspection evidence to investigate suspicious document handling and outbound movement. Because ATT&CK provides no tactic, relationship, or mitigation context for this analytic, treat it as a coverage and evidence-readiness item rather than a standalone risk rating.
Technical view
SOC and detection teams should validate whether macOS endpoint telemetry can show abnormal use of Preview, ImageMagick, or binary editors against image/document files, and whether that activity can be correlated with subsequent outbound connections or exfiltration-like transfer events. Detection engineering should focus on mismatches between file extension, MIME type, and payload structure, while accounting for legitimate creative, publishing, engineering, and automation workflows that may transform media files at scale.
Likely telemetry
- macOS process execution telemetry for Preview, ImageMagick, and binary editor usage
- File modification events for images and documents
- File metadata, extension, MIME type, and content-structure inspection results
- Outbound network connection logs from macOS endpoints
- Data transfer or exfiltration monitoring events where available
Detection direction
- Confirm that macOS endpoints are in scope; no other platforms are supplied for this analytic.
- Build correlation around unusual document or image modification followed by outbound transfer rather than alerting on tool execution alone.
- Tune for legitimate users and workflows that commonly edit, convert, compress, or batch-process images and documents.
- Validate inspection logic for mismatched MIME type, file extension, and payload structure.
- Look for blind spots where outbound traffic is encrypted, endpoint file telemetry is absent, or local tooling is not logged consistently.
Mitigation priorities
- Ensure macOS endpoint logging and network egress logging are available and retained for investigation.
- Apply least-privilege and application-control principles where appropriate for uncommon binary editors or conversion utilities.
- Strengthen data-loss monitoring for sensitive document and image repositories where business requirements allow.
- Define incident-response playbooks for suspicious file modification followed by outbound transfer, including file preservation and MIME/content validation.
- Use local business context to distinguish approved media/document processing workflows from abnormal activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and provides a concise behavior description without tactics, relationships, or official detection logic. The most defensible use is as a prompt to test macOS telemetry correlation across process, file, MIME/content inspection, and outbound network evidence.
No relationship context, official detection text, mitigations, tactics, aliases, or labels were supplied. This take does not infer adversary intent, active exploitation, attribution, impact, or detection coverage. Local environment baselines are required to determine materiality and false-positive rates.
Analytic 0653
Abnormal usage of Preview, ImageMagick, or binary editors to alter images/documents, followed by exfiltration or outbound connections with mismatched file MIME types or payload structure.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d16b691451ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0653Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.