Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.[1][2] On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.[3][4]
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.[5]
| ID | Name | Description |
|---|---|---|
| S0477 | Goopy |
Goopy has the ability to delete emails used for C2 once the content has been copied.[3] |
| S1142 | LunarMail |
LunarMail can set the |
| C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 removed evidence of email export requests using |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
In an Exchange environment, Administrators can use |
| M1029 | Remote Data Storage |
Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1022 | Restrict File and Directory Permissions |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
In environments using Exchange, monitor logs for the creation or modification of mail processing settings, such as transport rules. |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. In Exchange environments, monitor for PowerShell cmdlets that may create or alter transport rules, such as |
| DS0022 | File | File Deletion |
Monitor for deletion of generated artifacts on a host system, including logs or captured files such as quarantined emails. On Windows 10, mail application data is stored in |
| File Modification |
Monitor for changes made to generated artifacts on a host system, including logs or captured files such as quarantined emails. On Windows 10, mail application data is stored in |
||
| DS0009 | Process | Process Creation |
Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. |