Mail Rules

Overview

Evidence: Mail Rules Description: Collect Mail Rules that contain AppleScript Category: System Platform: macos Short Name: mrls Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Apple Mail rules can trigger AppleScripts on incoming mail. This data is essential for detecting malicious scripts used for persistence, exfiltration, or auto‑actions.

Data Collected

This collector gathers structured data about mail rules.

Mail Rules Data

Field

Description

Example

User

User

Example value

RulePath

Rule Path

Example value

Key

Key

Example value

Script

Script

Example value

ScriptPath

Script Path

Example value

Collection Method

This collector searches for SyncedRules.plist files, extracts AppleScript rule entries, and records them into mail_rules.

Forensic Value

This evidence is crucial for forensic investigations as it reveals script execution hooks configured in Mail, a known persistence vector.

PreviousLogout Hooks NextManuel Configuration Profile Install

Last updated 2 days ago

Was this helpful?