Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1462: Analytic 1462

Execution of files with reversed filename extensions using Unicode RTLO character. Frequently used to deceive Gatekeeper and users in Safari or Mail-based phishing.

EnterpriseAN1462AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns macOS files whose names use the Unicode Right-to-Left Override character to make an extension appear reversed or misleading. The practical risk is phishing-driven execution: a user receiving a file through Safari or Mail may see a name that looks safer than the file actually is, weakening reliance on visual inspection and some user-facing trust cues.

Executive priority

Treat this as a macOS phishing and endpoint resilience validation item. Leaders should ask whether security teams can identify deceptive Unicode filenames in downloaded or emailed files, whether Gatekeeper-related decisions are visible to the SOC, and whether user reporting, incident response, and audit evidence cover Safari/Mail-based file execution paths. It is most relevant where macOS endpoints are material to business operations or privileged user populations.

Technical view

For SOC and detection engineering, validate coverage for macOS file creation, download, and execution events where filenames contain U+202E RTLO or other bidirectional control characters. Because the ATT&CK object provides no official detection logic and no relationship context, teams should test locally against Safari and Mail download/execution workflows, then tune for filenames where the displayed extension may differ from the actual stored filename. IR teams should preserve the original filename bytes/Unicode representation, source application context, quarantine or Gatekeeper metadata where available, and the process tree around execution.

Likely telemetry

  • macOS endpoint file creation and file modification events including full Unicode filename values
  • Process execution telemetry with command line, parent process, signing/notarization context where available, and file path
  • Safari download history or browser-origin metadata where collected
  • Mail attachment handling or saved-attachment evidence where collected
  • macOS quarantine/Gatekeeper assessment or related security decision logs where available

Detection direction

  • Search for U+202E Right-to-Left Override and similar bidirectional control characters in macOS filenames and paths, especially in user download, mail attachment, desktop, and temporary locations.
  • Correlate suspicious filenames with execution events and parent applications such as Safari or Mail, as supported by local telemetry.
  • Validate that logging pipelines, SIEM normalization, case management, and analyst consoles preserve and display Unicode control characters rather than stripping or visually reordering them.
  • Tune carefully for legitimate multilingual filename use; prioritize bidirectional control characters used near file extensions and followed by execution or user-open events.
  • Because no official detection text or ATT&CK relationships were supplied, treat this as a detection-validation pattern rather than a complete rule.

Mitigation priorities

  • Ensure macOS endpoint controls and logging are configured to retain filename fidelity, quarantine metadata, and execution context.
  • Review phishing and attachment-handling controls for files with deceptive Unicode characters in names, especially from web downloads and email attachments.
  • Confirm Gatekeeper and related macOS safety controls are enabled and that security teams can see relevant allow/block or user-decision evidence where available.
  • Educate users and help desks that filenames can be visually deceptive, and include suspicious Unicode filenames in reporting and triage guidance.
  • Add this scenario to macOS incident response and detection test plans so coverage is evidenced rather than assumed.
Analyst notes and limits

The supplied object is a detection analytic for macOS, AN1462, describing execution of files with reversed filename extensions using the Unicode RTLO character, frequently associated with deception in Safari or Mail-based phishing. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and telemetry requirements rather than asserting a specific ATT&CK technique mapping or adversary behavior beyond the description.

Source fields are sparse. There is no official detection query, no related techniques, no mitigation mapping, and no evidence of active exploitation or attribution in the supplied data. Local endpoint configuration, log retention, Unicode handling, and macOS application telemetry will determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 1462

Execution of files with reversed filename extensions using Unicode RTLO character. Frequently used to deceive Gatekeeper and users in Safari or Mail-based phishing.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1e050036eac7e1b5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1e050036eac7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1462
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use