Mail Rules

Overview

Evidence: Mail Rules
Description: Collect Mail Rules that contain AppleScript
Category: System
Platform: macos
Short Name: mrls
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Apple Mail rules can trigger AppleScripts on incoming mail. This data is essential for detecting malicious scripts used for persistence, exfiltration, or auto‑actions.

Data Collected

This collector gathers structured data about mail rules.

Mail Rules Data

Field	Description	Example
`User`	User	Example value
`RulePath`	Rule Path	Example value
`Key`	Key	Example value
`Script`	Script	Example value
`ScriptPath`	Script Path	Example value

Collection Method

This collector searches for SyncedRules.plist files, extracts AppleScript rule entries, and records them into mail_rules.

Forensic Value

This evidence is crucial for forensic investigations as it reveals script execution hooks configured in Mail, a known persistence vector.