A quarantine flag is a macOS metadata marker added to files that are downloaded from the internet or received from untrusted sources. When the flag is present, the system can show extra warnings and route the file through built-in protections such as Gatekeeper before the user opens it. The goal is to make risky software easier to spot at the moment of execution.
This matters because many Mac attacks rely on social engineering rather than a software exploit. If a victim is persuaded to launch a fake installer or script, the quarantine flag may be the last visible warning before the payload runs. Attackers may try to strip the flag to reduce friction, while defenders can look for suspicious downloads, unexpected flag removal, and users bypassing safety prompts. In practice, the flag is a useful control, but it only works when users pay attention to the warnings it triggers.