Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0657: Analytic 0657

Phishing attachment detection on macOS through correlation of Mail app logs, file creation in user directories, and abnormal process execution (e.g., Preview.app or Mail.app spawning Terminal or scripting binaries). Network traffic after attachment interaction is also monitored.

EnterpriseAN0657AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0657 is a macOS-focused detection analytic for suspicious activity after a user interacts with a phishing attachment. Its business value is in validating whether the organization can connect email-client evidence, new files in user locations, unusual child processes from Mail.app or Preview.app, and follow-on network traffic into one incident story rather than treating each signal in isolation.

Executive priority

Prioritize this analytic where macOS endpoints and Apple Mail usage are material to business operations. The key leadership question is whether SOC and incident response teams can prove they have the endpoint, mail, file, process, and network evidence needed to investigate attachment-driven compromise quickly. This supports resilience, audit evidence for monitoring coverage, and practical budget decisions around macOS endpoint visibility and response readiness.

Technical view

For SOC, detection engineering, and IR teams, validate correlation across macOS Mail app logs, attachment-related file creation in user directories, abnormal process execution where Mail.app or Preview.app spawns Terminal or scripting binaries, and network traffic after attachment interaction. Because ATT&CK provides no separate detection logic or tactic mapping for this object, teams should treat the official description as the detection intent and implement environment-specific thresholds, allowlists, and triage workflows.

Likely telemetry

  • macOS Mail application logs or equivalent email-client activity records
  • File creation events in user directories, especially files associated with recent attachment handling
  • Process creation and parent-child process telemetry for Mail.app, Preview.app, Terminal, and scripting binaries
  • Endpoint timestamps sufficient to correlate email interaction, file creation, process execution, and network activity
  • Network connection or proxy/DNS telemetry following attachment interaction

Detection direction

  • Validate that macOS endpoint telemetry captures parent-child process relationships involving Mail.app or Preview.app spawning Terminal or scripting binaries.
  • Correlate attachment handling with file creation in user directories before alerting on later execution or network activity.
  • Tune for legitimate workflows where Preview.app, Mail.app, Terminal, or scripting tools may interact during administration, development, or automation.
  • Confirm that network monitoring can be tied back to the endpoint and approximate user interaction timeline.
  • Document blind spots where Mail app logs, process telemetry, or network telemetry are missing, delayed, or not retained.

Mitigation priorities

  • Ensure macOS endpoints in scope have logging and endpoint monitoring capable of supporting the described correlation.
  • Harden and monitor email attachment handling workflows, especially for users or business units with elevated phishing exposure.
  • Review controls around script execution and terminal usage initiated from user-facing applications.
  • Maintain incident response playbooks for suspected phishing attachment execution on macOS, including evidence preservation across mail, endpoint, and network sources.
  • Use findings from coverage validation to inform compliance evidence and control prioritization rather than assuming the analytic is operational by default.
Analyst notes and limits

This object is a detection analytic, not a technique or campaign. The supplied ATT&CK data identifies macOS as the platform and describes a correlation-based phishing attachment detection concept. No tactics, related techniques, mitigations, groups, software, or campaigns were supplied, so conclusions should remain focused on defensive validation of the described telemetry chain.

Official detection content is not provided, and no relationship context is supplied. The analytic does not by itself prove exploit activity, attribution, impact, or detection coverage. Local environment data is required to determine whether Apple Mail is used, whether the required macOS telemetry is collected, and what activity should be considered abnormal.

Official MITRE ATT&CK definition

Analytic 0657

Phishing attachment detection on macOS through correlation of Mail app logs, file creation in user directories, and abnormal process execution (e.g., Preview.app or Mail.app spawning Terminal or scripting binaries). Network traffic after attachment interaction is also monitored.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b3a0889f55363aed...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b3a0889f5536…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0657
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use