Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1311: Analytic 1311

Monitors Mail.app database or maildir file access, automation via AppleScript, and abnormal mail rule creation using scripting or UI automation frameworks.

EnterpriseAN1311AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant where macOS endpoints handle business email through Mail.app. It focuses on signs that local mail data, maildir files, AppleScript automation, or abnormal mail rule creation are being accessed or manipulated. For leaders, the practical value is validating whether email activity on managed Macs is visible enough to support incident response, insider-risk investigation, and compliance evidence—not assuming that cloud email logging alone covers local client behavior.

Executive priority

Prioritize this as a visibility and readiness question for macOS-heavy environments: can the organization prove who accessed local mail stores, what automation interacted with Mail.app, and whether unusual mail rules were created? This matters for business email risk, legal and compliance investigations, and rapid incident scoping. Because ATT&CK provides no tactic mapping, relationships, or detection logic for this analytic, it should be treated as a coverage validation item rather than a standalone risk conclusion.

Technical view

SOC and detection teams should validate telemetry around macOS Mail.app database or maildir file access, AppleScript-driven automation, and creation or modification of mail rules through scripting or UI automation frameworks. Since no official detection logic is provided, teams need to define local baselines for legitimate Mail.app, AppleScript, and user automation behavior, then test whether endpoint, file, process, and macOS automation telemetry can distinguish expected administrative or user activity from abnormal mail access or rule changes.

Likely telemetry

  • macOS endpoint process execution telemetry involving Mail.app and scripting interpreters or automation components
  • File access events for Mail.app databases or maildir-style mail storage paths
  • AppleScript or macOS automation activity logs where available
  • Mail rule creation or modification evidence from Mail.app configuration or related local files
  • User context, device identity, timestamps, and parent-child process relationships for mail and automation activity

Detection direction

  • Confirm whether managed macOS endpoints collect file access telemetry detailed enough to observe Mail.app database or maildir access.
  • Validate visibility into AppleScript and UI automation framework usage, including the initiating user and process context.
  • Develop baselines for legitimate Mail.app automation, accessibility tools, backups, migrations, and administrative scripts to reduce false positives.
  • Review abnormal mail rule creation or modification as a detection signal, especially when paired with scripting or unusual process ancestry.
  • Treat this analytic as incomplete without local engineering: the ATT&CK object provides a monitoring objective but no official detection query, threshold, tactic mapping, or relationship context.

Mitigation priorities

  • Harden macOS endpoint management so only approved automation, scripting, and accessibility permissions are allowed where operationally required.
  • Limit unnecessary local mail storage exposure through endpoint configuration and email client governance where feasible.
  • Ensure endpoint detection and response coverage includes macOS file, process, and automation telemetry relevant to Mail.app.
  • Document expected Mail.app rules, automation use cases, and administrative scripts to support audits and incident response.
  • Use incident response playbooks to preserve local mail configuration, rule data, automation evidence, and user/device context when this behavior is suspected.
Analyst notes and limits

This is a detection analytic object for macOS with an official description but no supplied official detection content, tactics, aliases, labels, or relationship context. The main decision value is to assess whether local macOS email-client behavior is observable and governable, especially where cloud email telemetry may not show client-side database access or local automation.

The supplied ATT&CK fields do not identify a specific technique, tactic, threat actor, campaign, impact, or confirmed exploitation scenario. Detection feasibility depends on local macOS logging, endpoint tooling, Mail.app configuration, and whether AppleScript or UI automation telemetry is collected and retained.

Official MITRE ATT&CK definition

Analytic 1311

Monitors Mail.app database or maildir file access, automation via AppleScript, and abnormal mail rule creation using scripting or UI automation frameworks.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
09b48f5ad545a3eb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 09b48f5ad545…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1311
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use