Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.[1][2] On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.[3][4]
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.[5]
| ID | Name | Description |
|---|---|---|
| G1044 | APT42 |
APT42 has deleted login notification emails and has cleared the Sent folder to cover their tracks.[6] |
| S0477 | Goopy |
Goopy has the ability to delete emails used for C2 once the content has been copied.[3] |
| S1142 | LunarMail |
LunarMail can set the |
| G1015 | Scattered Spider |
Scattered Spider has manually deleted emails notifying users of suspicious account activity. [8] |
| C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 removed evidence of email export requests using |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
In an Exchange environment, Administrators can use |
| M1029 | Remote Data Storage |
Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1022 | Restrict File and Directory Permissions |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0266 | Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics | AN0737 |
Detects mailbox manipulation or deletion via PowerShell (e.g., Remove-MailboxExportRequest), file deletion from Outlook data stores (Unistore.db), or tampering with quarantined mail logs. |
| AN0738 |
Detects the use of mail utilities like |
||
| AN0739 |
Detects removal of Apple Mail artifacts via AppleScript or direct deletion of mailbox content in ~/Library/Mail/, especially when preceded by Remote Login or C2-related API access. |
||
| AN0740 |
Detects Exchange Online or on-prem transport rule changes (e.g., header stripping) and mailbox export cleanup via |