AN1011: Analytic 1011
Monitor unified logs and Mail.app activity for repetitive incoming messages with attachments. Defenders should look for large volumes of incoming mail stored under ~/Library/Mail with unusual timing or repetitive subjects.
Analyst context for executives and security teams
This analytic is about spotting suspicious mail activity on macOS by watching unified logs and Apple Mail storage for repeated incoming messages with attachments, especially when messages arrive in unusual bursts or share repetitive subjects. For leaders, the value is not attribution or proof of compromise; it is an operational check on whether macOS endpoint and email activity can be evidenced quickly when a mail-driven incident is suspected.
Executive priority
Prioritize this where macOS users and Mail.app are in scope for business operations, legal communications, executive support, or regulated workflows. The key decision question is whether the organization can produce timely evidence of high-volume or repetitive attachment delivery on macOS endpoints, not just from the mail gateway. This supports incident triage, audit defensibility, and SOC readiness when email-based activity must be investigated across user devices.
Technical view
For SOC and IR teams, validate that macOS unified logs and Mail.app activity under ~/Library/Mail are available, retained, and searchable. The analytic direction is to look for large volumes of incoming mail with attachments, unusual timing patterns, and repetitive subjects. Because no ATT&CK tactic, detection logic, threshold, or relationship context is supplied, teams should treat this as a telemetry validation and tuning prompt rather than a complete detection rule.
Likely telemetry
- macOS unified logs
- Apple Mail / Mail.app activity
- File and directory activity under ~/Library/Mail
- Email metadata such as received time, subject repetition, and attachment presence
- Endpoint log collection and retention evidence for macOS systems
Detection direction
- Confirm whether macOS unified logs are collected centrally or remain only on the endpoint.
- Validate visibility into ~/Library/Mail activity for incoming messages and attachments on macOS.
- Tune for abnormal volume, repetitive subjects, and unusual timing rather than single-message events.
- Account for expected bulk mail, mailing lists, newsletters, automated notifications, and mailbox synchronization behavior as likely false-positive sources.
- Correlate endpoint Mail.app evidence with available email security or mail server records when available, while noting that such sources are not specified in the ATT&CK object.
Mitigation priorities
- Establish reliable macOS log collection and retention before depending on this analytic for incident response.
- Ensure IR playbooks include procedures for locating and preserving relevant Mail.app and unified log evidence.
- Define baseline expectations for normal incoming mail volume and attachment patterns for high-risk macOS user groups.
- Use the analytic to inform email security, endpoint monitoring, and compliance evidence discussions, without treating it as a standalone prevention control.
- Review access, privacy, and retention requirements before expanding endpoint mail-content or metadata monitoring.
Analyst notes and limits
The supplied object is a detection analytic for macOS focused on unified logs and Mail.app activity. It provides a practical observation target but does not include a formal detection expression, tactic mapping, related techniques, thresholds, or mitigation mappings. Local baselining is essential because repetitive subjects and high message volume can be legitimate in many business contexts.
This take is limited to the official STIX fields, external reference, and the absence of relationship context. No active exploitation, adversary attribution, impact, or guaranteed detection coverage is implied. The object only supports macOS and Mail.app-oriented guidance.
Analytic 1011
Monitor unified logs and Mail.app activity for repetitive incoming messages with attachments. Defenders should look for large volumes of incoming mail stored under ~/Library/Mail with unusual timing or repetitive subjects.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7c4f091a3caf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.