1. Home
  2. ATT&CK Techniques
  3. T1070.008 Clear Mailbox Data

T1070.008 Clear Mailbox Data Mappings

Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the <code>ExchangePowerShell</code> PowerShell module, including <code>Remove-MailboxExportRequest</code> to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called <code>mail</code> or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security Attributes Protects T1070.008 Clear Mailbox Data
AC-17 Remote Access Protects T1070.008 Clear Mailbox Data
AC-18 Wireless Access Protects T1070.008 Clear Mailbox Data
AC-19 Access Control For Mobile Devices Protects T1070.008 Clear Mailbox Data
AC-2 Account Management Protects T1070.008 Clear Mailbox Data
AC-3 Access Enforcement Protects T1070.008 Clear Mailbox Data
AC-5 Separation Of Duties Protects T1070.008 Clear Mailbox Data
AC-6 Least Privilege Protects T1070.008 Clear Mailbox Data
CA-7 Continuous Monitoring Protects T1070.008 Clear Mailbox Data
CM-2 Baseline Configuration Protects T1070.008 Clear Mailbox Data
CM-6 Configuration Settings Protects T1070.008 Clear Mailbox Data
CP-6 Alternate Storage Site Protects T1070.008 Clear Mailbox Data
CP-7 Alternate Processing Site Protects T1070.008 Clear Mailbox Data
CP-9 Information System Backup Protects T1070.008 Clear Mailbox Data
SC-36 Distributed Processing And Storage Protects T1070.008 Clear Mailbox Data
SC-4 Information In Shared Resources Protects T1070.008 Clear Mailbox Data
SI-12 Information Handling And Retention Protects T1070.008 Clear Mailbox Data
SI-3 Malicious Code Protection Protects T1070.008 Clear Mailbox Data
SI-4 Information System Monitoring Protects T1070.008 Clear Mailbox Data
SI-7 Software, Firmware, And Information Integrity Protects T1070.008 Clear Mailbox Data