Pulls iCloud Contacts for an account. No dependencies. No user notification.

Hunt Hypothesis

An adversary may be exfiltrating iCloud contact data to gather information for further attacks without user awareness. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts and mitigate risk in their Azure Sentinel environment.

YARA Rule

rule hacktool_macos_manwhoami_icloudcontacts
{
    meta:
        description = "Pulls iCloud Contacts for an account. No dependencies. No user notification."
        reference = "https://github.com/manwhoami/iCloudContacts"
        author = "@mimeframe"
        id = "7c1f218e-c790-50ce-9408-d20747abde2e"
    strings:
        $a1 = "https://setup.icloud.com/setup/authenticate/" wide ascii
        $a2 = "https://p04-contacts.icloud.com/" wide ascii
        $a3 = "HTTP Error 401: Unauthorized. Are you sure the credentials are correct?" wide ascii
        $a4 = "HTTP Error 404: URL not found. Did you enter a username?" wide ascii
    condition:
        3 of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/manwhoami/iCloudContacts
• Source Rule

False Positive Guidance

• Scenario: A system administrator uses Apple Configurator 2 to bulk import device configurations, which includes syncing iCloud contacts as part of a device enrollment process.
  Filter/Exclusion: Check for the presence of Apple Configurator 2 in the process name or command line arguments.

• Scenario: A scheduled job runs via AppleScript to automate contact synchronization for a group of users during off-peak hours.
  Filter/Exclusion: Filter by process owner (e.g., root or a known service account) and check for scheduled task identifiers.

• Scenario: A third-party MDM tool (e.g., Jamf Pro) performs a contact sync as part of device management, without user interaction.
  Filter/Exclusion: Include checks for MDM tool process names or service accounts associated with the tool.

• Scenario: A backup script or automation tool (e.g., rsync, Bacula) transfers iCloud contacts as part of a data migration or backup process.
  Filter/Exclusion: Filter by known backup tools or check for presence of backup-related command-line flags or paths.

• Scenario: An IT helpdesk tool (e.g., ServiceNow, Freshservice) triggers an automated contact sync when resolving a user ticket, without user notification.
  Filter/Exclusion: Check for process names or user contexts associated with helpdesk systems or service accounts.