AN1590: Analytic 1590
Creation or modification of Apple Mail rules by accessing plist files or GUI automation (AppleScript).
Analyst context for executives and security teams
This analytic is about watching for creation or modification of Apple Mail rules on macOS, including changes made through plist files or GUI automation with AppleScript. For leaders, the practical value is that mail-rule changes can affect how messages are handled, hidden, forwarded, or organized, so they can matter during investigations involving user mailboxes, executive accounts, or macOS endpoints. Because the ATT&CK object provides no official detection logic, teams should treat this as a validation prompt rather than a ready-made rule.
Executive priority
Prioritize this where macOS users rely on Apple Mail for business communications, especially for high-value users or regulated workflows where mailbox integrity and audit evidence matter. Security leaders should ask whether endpoint monitoring and IR playbooks can reconstruct Apple Mail rule changes, who made them, and whether automation was involved. The main business decision is whether macOS mailbox activity is covered well enough to support incident response and compliance evidence, not just whether generic endpoint logging is enabled.
Technical view
SOC and IR teams should validate visibility into Apple Mail rule creation or modification on macOS, specifically changes involving plist files and AppleScript-driven GUI automation. Since no ATT&CK tactics, relationships, or detection query are supplied, detection engineering should avoid assuming intent and instead build environment-specific baselines for legitimate Apple Mail rule administration, plist modifications, and AppleScript execution touching Apple Mail. Investigation should correlate file modification events, process execution, user context, and relevant mailbox or endpoint activity when available.
Likely telemetry
- macOS file modification events for Apple Mail-related plist files
- Process execution telemetry for Apple Mail and AppleScript-related activity
- User/session context for the account modifying mail rules
- Endpoint security logs showing GUI automation or scripting activity where collected
- File metadata such as path, timestamp, owner, and modifying process
Detection direction
- Confirm whether macOS endpoint telemetry captures creation and modification of Apple Mail plist files.
- Validate whether AppleScript or GUI automation activity involving Apple Mail is logged with enough process and user context for investigation.
- Tune for legitimate user or administrative mail-rule changes to reduce false positives.
- Correlate suspicious mail-rule changes with unusual user activity, process ancestry, or other endpoint events rather than treating every rule change as malicious.
- Document blind spots where Apple Mail is used but plist or AppleScript telemetry is not retained.
Mitigation priorities
- Establish logging and retention requirements for macOS endpoints that use Apple Mail.
- Limit unnecessary scripting or automation capabilities where business operations allow.
- Include Apple Mail rule review in macOS incident response procedures for relevant users.
- Baseline normal Apple Mail rule behavior for high-value users before alerting broadly.
- Ensure security teams can collect the relevant plist files and endpoint logs during investigations.
Analyst notes and limits
The supplied object is a detection analytic for macOS Apple Mail rule creation or modification. It has no supplied ATT&CK tactics, no relationships, and no official detection logic, so this take focuses on defensive validation, telemetry readiness, and IR usefulness rather than a specific threat scenario.
This assessment is limited to the official STIX fields and the single external reference supplied. It does not establish active exploitation, adversary attribution, business impact, or detection efficacy. Local macOS configuration, Apple Mail usage, endpoint logging, and retention practices are required to determine real coverage.
Analytic 1590
Creation or modification of Apple Mail rules by accessing plist files or GUI automation (AppleScript).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4a11feca69c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1590Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.