Skip to content

T1070.008 Clear Mailbox Data

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.14 On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.23

Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.5

Item Value
ID T1070.008
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Google Workspace, Linux, Office 365, Windows, macOS
Version 1.1
Created 08 July 2022
Last Modified 12 April 2023

Procedure Examples

ID Name Description
S0477 Goopy Goopy has the ability to delete emails used for C2 once the content has been copied.2
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 removed evidence of email export requests using Remove-MailboxExportRequest.1


ID Mitigation Description
M1047 Audit In an Exchange environment, Administrators can use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.6
M1029 Remote Data Storage Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022 Restrict File and Directory Permissions Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Deletion
DS0009 Process Process Creation