# Mail Rules

## Overview

**Evidence:** Mail Rules\
**Description:** Collect Mail Rules that contain AppleScript\
**Category:** System\
**Platform:** macos\
**Short Name:** mrls\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Apple Mail rules can trigger AppleScripts on incoming mail. This data is essential for detecting malicious scripts used for persistence, exfiltration, or auto‑actions.

## Data Collected

This collector gathers structured data about mail rules.

### Mail Rules Data

| Field        | Description | Example       |
| ------------ | ----------- | ------------- |
| `User`       | User        | Example value |
| `RulePath`   | Rule Path   | Example value |
| `Key`        | Key         | Example value |
| `Script`     | Script      | Example value |
| `ScriptPath` | Script Path | Example value |

## Collection Method

This collector searches for `SyncedRules.plist` files, extracts AppleScript rule entries, and records them into `mail_rules`.

## Forensic Value

This evidence is crucial for forensic investigations as it reveals script execution hooks configured in Mail, a known persistence vector.