1. Home
  2. ATT&CK Techniques
  3. T1070.008 Clear Mailbox Data

T1070.008 Clear Mailbox Data Mappings

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the <code>ExchangePowerShell</code> PowerShell module, including <code>Remove-MailboxExportRequest</code> to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called <code>mail</code> or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)

Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1070.008 Clear Mailbox Data
CM-06 Configuration Settings mitigates T1070.008 Clear Mailbox Data
AC-17 Remote Access mitigates T1070.008 Clear Mailbox Data
CP-07 Alternate Processing Site mitigates T1070.008 Clear Mailbox Data
CP-06 Alternate Storage Site mitigates T1070.008 Clear Mailbox Data
SC-36 Distributed Processing and Storage mitigates T1070.008 Clear Mailbox Data
CP-09 System Backup mitigates T1070.008 Clear Mailbox Data
AC-19 Access Control for Mobile Devices mitigates T1070.008 Clear Mailbox Data
SC-04 Information in Shared System Resources mitigates T1070.008 Clear Mailbox Data
SI-12 Information Management and Retention mitigates T1070.008 Clear Mailbox Data
SI-12 Information Management and Retention mitigates T1070.008 Clear Mailbox Data
SI-03 Malicious Code Protection mitigates T1070.008 Clear Mailbox Data
SI-07 Software, Firmware, and Information Integrity mitigates T1070.008 Clear Mailbox Data
AC-20 Use of External Systems mitigates T1070.008 Clear Mailbox Data
AC-16 Security and Privacy Attributes mitigates T1070.008 Clear Mailbox Data
AC-18 Wireless Access mitigates T1070.008 Clear Mailbox Data
CM-02 Baseline Configuration mitigates T1070.008 Clear Mailbox Data
SI-04 System Monitoring mitigates T1070.008 Clear Mailbox Data
AC-04 Information Flow Enforcement mitigates T1070.008 Clear Mailbox Data
AC-02 Account Management mitigates T1070.008 Clear Mailbox Data
AC-03 Access Enforcement mitigates T1070.008 Clear Mailbox Data
AC-05 Separation of Duties mitigates T1070.008 Clear Mailbox Data
AC-06 Least Privilege mitigates T1070.008 Clear Mailbox Data

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1070.008 Clear Mailbox Data
Comments
Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1070.008 Clear Mailbox Data
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References