Suspicious Apple Mail Rule Plist Modification

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects suspicious creation or modification of the Apple Mail SyncedRules plist file by a non-Mail application. 
 11An adversary could establish persistence by creating or modifying an Apple Mail rule to point to a script file 
 12on disk, which will execute when an email matching the trigger is received.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.file-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Apple Mail Rule Plist Modification"
 19note = """ ## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Suspicious Apple Mail Rule Plist Modification
 25
 26This detects non-Apple Mail processes creating or modifying the SyncedRules.plist that stores Apple Mail rules, a persistence path because rules can trigger actions on incoming mail. Attackers commonly drop a script to disk, then edit the rules file so a crafted email (often from an attacker-controlled sender or with a specific subject) launches that script when it arrives.
 27
 28### Possible investigation steps
 29
 30- Identify the application that modified the plist and validate its legitimacy by checking code signature, bundle path, quarantine/download origin, and recent installation history.  
 31- Diff the current SyncedRules.plist against a known-good or previous version (including backups/snapshots) to pinpoint what rule entries changed and when.  
 32- Decode and review the plist contents to find any rule actions that execute scripts/binaries or reference external paths, then record the exact target command/path.  
 33- Locate and inspect any referenced script or executable (hash, signature, contents, timestamps, and network indicators) and determine whether it is newly created or staged nearby.  
 34- Correlate the modification time with surrounding system activity (process tree, file writes in user Library paths, network connections, and recent email-related events) to determine whether this is persistence setup versus benign automation.
 35
 36### False positive analysis
 37
 38- After a macOS reinstall, user migration, or restore from backup, SyncedRules.plist may be recreated or overwritten by a non-Mail restore/migration process when Mail data is copied back into the user’s MailData directory.  
 39- User-initiated or administrative automation that standardizes, repairs, or deploys Mail rules can modify SyncedRules.plist via command-line file operations or plist editing outside of Mail.app, especially during initial user provisioning or troubleshooting.
 40
 41### Response and remediation
 42
 43- Isolate the affected Mac from the network and temporarily disable Apple Mail rule processing by moving `SyncedRules.plist` out of the MailData directory to prevent any rule-triggered script execution while preserving evidence.  
 44- Collect and preserve the modified `SyncedRules.plist`, its extended attributes/quarantine flags, and the modifying process binary/app bundle, then decode the plist to identify any rule actions that reference on-disk scripts or executables.  
 45- Remove malicious persistence by deleting the offending rule entries (or restoring `SyncedRules.plist` from a known-good backup) and deleting/quarantining any referenced scripts/binaries and their launch points if they were dropped on disk.  
 46- Hunt for and eradicate the originator by reviewing recently installed or unsigned apps and user-level agents/daemons that wrote into `~/Library/Mail/**/MailData/`, and reimage the endpoint if additional persistence or tampering is found.  
 47- Recover by re-enabling Mail with a clean ruleset, forcing credential/session resets for affected mail accounts, and monitoring for recurrence of `SyncedRules.plist` changes or rule-triggered execution when new mail arrives.  
 48- Escalate to incident response immediately if the plist contains rules invoking `sh`, `osascript`, `python`, or a non-Apple executable path, if the modifying process is unsigned/untrusted, or if the referenced script shows network beacons or data access behavior.
 49"""
 50references = [
 51    "https://www.n00py.io/2016/10/using-email-for-persistence-on-os-x/"
 52]
 53risk_score = 47
 54rule_id = "d7b57cbd-de03-4c3b-8278-daa1ee4a6772"
 55severity = "medium"
 56tags = [
 57    "Domain: Endpoint",
 58    "OS: macOS",
 59    "Use Case: Threat Detection",
 60    "Tactic: Persistence",
 61    "Data Source: Elastic Defend",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "eql"
 66query = '''
 67file where host.os.type == "macos" and event.type != "deletion" and
 68  file.name == "SyncedRules.plist" and
 69  file.path like ("/Users/*/Library/Mail/*/MailData/SyncedRules.plist",
 70                  "/Users/*/Library/Mobile Documents/com.apple.mail/Data/*/MailData/SyncedRules.plist") and
 71  not process.executable like ("/System/Applications/Mail.app/Contents/MacOS/Mail",
 72                               "/Applications/Mail.app/Contents/MacOS/Mail",
 73                               "/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd",
 74                               "/usr/libexec/xpcproxy",
 75                               "/System/Library/Frameworks/FileProvider.framework/Support/fileproviderd",
 76                               "/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird",
 77                               "/sbin/launchd",
 78                               "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder")
 79'''
 80
 81[[rule.threat]]
 82framework = "MITRE ATT&CK"
 83
 84  [rule.threat.tactic]
 85  name = "Persistence"
 86  id = "TA0003"
 87  reference = "https://attack.mitre.org/tactics/TA0003/"
 88
 89  [[rule.threat.technique]]
 90  name = "Event Triggered Execution"
 91  id = "T1546"
 92  reference = "https://attack.mitre.org/techniques/T1546/"
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96
 97  [rule.threat.tactic]
 98  name = "Execution"
 99  id = "TA0002"
100  reference = "https://attack.mitre.org/tactics/TA0002/"
101
102  [[rule.threat.technique]]
103  name = "User Execution"
104  id = "T1204"
105  reference = "https://attack.mitre.org/techniques/T1204/"