Co-authors: Raae Wolfram & Sam Gardener
Many people aren’t aware that Microsoft security isn't just about Microsoft, it’s also about the platforms supporting the products we build. This means our reach extends across all operating systems: iOS, Android, Linux, and macOS!
In early 2025 Microsoft disclosed CVE-2025-31199, a macOS vulnerability that abused Spotlight, macOS’s metadata importer framework to bypass Transparency, Consent, and Control (TCC). After the Defender team reported this to Apple, a patch was released that closed the hole. But, the underlying behavior behind the threat still matters to Microsoft! Once attackers learn that trusted macOS services can be redirected, they will reuse the method for nefarious purposes, so it is important to track them down. The next variant won’t look the same, and Spotlight is a commonly targeted service. [1] So, in this article, we teach you how to hunt beyond the patch!
Why Hunt for Sploitlight
Spotlight importers (.mdimporter) extend macOS indexing. They normally process metadata for search visibility. Attackers can twist that design to index protected files, extract sensitive data, or trigger code execution, perhaps with elevated system trust and privileges. Even with the patch in place, the same logic paths remain valuable targets for attackers. We recommend hunting for patterns around importers, indexing behavior, and TCC privileged binaries to help detect attempts to rebuild this chain of abuse.
Advanced Hunting Queries (AHQs)
1. Detect Unusual Spotlight Importer Activity
Looking for manual invocations of mdimport may tip you off to attacker activity
DeviceProcessEvents
|where ProcessCommandLine contains "mdimport"OR
DeviceProcessEvents
| where ProcessCommandLine contains "mdimport"
| where isempty(extract(@"-(\w+)", 1, ProcessCommandLine)) == false
| extend mdimportFlag = extract(@"-(\w+)", 1, ProcessCommandLine)
| where mdimportFlag in~ ("r", "i", "t", "L")Why it’s important:
A Spotlight plugin being developed or tested will be called from the command line using the mdimport utility. For a wide-sweeping query, just search for mdimport alone. However, to get more granular, you can search for it with common parameters such as "r", "i", "t", or "L".
2. Investigate Anomalous Spotlight Activity
Use this query to monitor Spotlight activity in the background
DeviceProcessEvents
| where FileName in~ ("mdworker", "mdworker_shared")Why it’s important:
The Advanced Hunting Portal creates timelines for you to quickly zoom in on abnormal behavior, and peaks can show when new Spotlight plugins are invoked.
Defender Recommendations
- Establish a baseline of normal Spotlight activity before setting detection thresholds.
- Tag importer activity by TCC domain to surface unexpected access.
- Correlate unsigned importer drops with system events such as privilege escalation or installer execution.
- Deploy these AHQs in Microsoft Defender XDR or Sentinel for continuous telemetry review.
The Bigger Picture
The point isn’t to memorize CVEs. It’s to understand the logic that made them possible and look for it everywhere else. Threat actors don’t repeat exploits; they repeat success patterns. Visibility is the only real control. If a process touches data, moves it, or indexes it, it’s part of your attack surface. Treat it that way.
👉 Join the Defender Experts S.T.A.R. Forum to see Sploitlight detection strategies and live hunting demonstrations: Defender Experts Webinar Series
[1] References:
https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
Microsoft