1. Home
  2. Detection Strategies
  3. Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics

Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics

Technique Detected:  Clear Mailbox Data | T1070.008

ID: DET0266
Domains: Enterprise
Analytics: AN0737, AN0738, AN0739, AN0740
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0737

Detects mailbox manipulation or deletion via PowerShell (e.g., Remove-MailboxExportRequest), file deletion from Outlook data stores (Unistore.db), or tampering with quarantined mail logs.

Log Sources
Data Component Name Channel
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
File Deletion (DC0040) WinEventLog:Sysmon EventCode=23
File Modification (DC0061) WinEventLog:Security EventCode=4663
Application Log Content (DC0038) m365:exchange Transport Rule Modification
Mutable Elements
Field Description
MailstorePath Outlook files in AppData\Local\Comms\Unistore\data
TransportRuleNames Target suspicious rule changes (e.g., header removal)
PowerShellCommandMatch Regex match on `Remove-MailboxExportRequest` and similar Exchange cmdlets

AN0738

Detects the use of mail utilities like mail or mailx to delete mailbox content, or file-level deletion of inbox files from /var/spool/mail/ or /var/mail/ following suspicious sessions.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Deletion (DC0040) auditd:SYSCALL unlink/unlinkat
Mutable Elements
Field Description
MailFolderPath Common inbox file locations like /var/spool/mail/, /var/mail/
CommandPattern Usage of mailx or echo piped to mail followed by deletion

AN0739

Detects removal of Apple Mail artifacts via AppleScript or direct deletion of mailbox content in ~/Library/Mail/, especially when preceded by Remote Login or C2-related API access.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream
File Deletion (DC0040) macos:osquery file_events
Mutable Elements
Field Description
ScriptCommandMatch AppleScript references to Mail.app and delete commands
LibraryPathMatch Files within ~/Library/Mail/V*/ folders

AN0740

Detects Exchange Online or on-prem transport rule changes (e.g., header stripping) and mailbox export cleanup via Remove-MailboxExportRequest, as well as admin actions via Exchange PowerShell sessions.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:exchange Admin Audit Logs, Transport Rules
Command Execution (DC0064) WinEventLog:PowerShell Exchange Cmdlets
Mutable Elements
Field Description
CmdletFilter Include `New-TransportRule`, `Set-TransportRule`, `Remove-*` actions
UserRoleScope Track role assignments for admins performing deletions