MITRE ATT&CK Technique
Description
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the <code>ExchangePowerShell</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including <code>Remove-MailboxExportRequest</code> to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called <code>mail</code> or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page) Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-07-08T21:04:03.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may modify mail and mail application data to '
'remove evidence of their activity. Email applications allow '
'users and other programs to export and delete mailbox data '
'via command line tools or use of APIs. Mail application data '
'can be emails, email metadata, or logs generated by the '
'application or operating system, such as export requests. \n'
'\n'
'Adversaries may manipulate emails and mailbox data to remove '
'logs, artifacts, and metadata, such as evidence of '
'[Phishing](https://attack.mitre.org/techniques/T1566)/[Internal '
'Spearphishing](https://attack.mitre.org/techniques/T1534), '
'[Email '
'Collection](https://attack.mitre.org/techniques/T1114), [Mail '
'Protocols](https://attack.mitre.org/techniques/T1071/003) for '
'command and control, or email-based exfiltration such as '
'[Exfiltration Over Alternative '
'Protocol](https://attack.mitre.org/techniques/T1048). For '
'example, to remove evidence on Exchange servers adversaries '
'have used the <code>ExchangePowerShell</code> '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'module, including <code>Remove-MailboxExportRequest</code> to '
'remove evidence of mailbox exports.(Citation: Volexity '
'SolarWinds)(Citation: ExchangePowerShell Module) On Linux and '
'macOS, adversaries may also delete emails through a command '
'line utility called <code>mail</code> or use '
'[AppleScript](https://attack.mitre.org/techniques/T1059/002) '
'to interact with APIs on macOS.(Citation: Cybereason Cobalt '
'Kitty 2017)(Citation: mailx man page)\n'
'\n'
'Adversaries may also remove emails and metadata/headers '
'indicative of spam or suspicious activity (for example, '
'through the use of organization-wide transport rules) to '
'reduce the likelihood of malicious emails being detected by '
'security products.(Citation: Microsoft OAuth Spam 2022)',
'external_references': [{'external_id': 'T1070.008',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1070/008'},
{'description': 'Cash, D. et al. (2020, December 14). '
'Dark Halo Leverages SolarWinds '
'Compromise to Breach Organizations. '
'Retrieved December 29, 2020.',
'source_name': 'Volexity SolarWinds',
'url': 'https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'},
{'description': 'Dahan, A. (2017). Operation Cobalt '
'Kitty. Retrieved December 27, 2018.',
'source_name': 'Cybereason Cobalt Kitty 2017',
'url': 'https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf'},
{'description': 'Michael Kerrisk. (2021, August 27). '
'mailx(1p) — Linux manual page. '
'Retrieved June 10, 2022.',
'source_name': 'mailx man page',
'url': 'https://man7.org/linux/man-pages/man1/mailx.1p.html'},
{'description': 'Microsoft. (2017, September 25). '
'ExchangePowerShell. Retrieved June '
'10, 2022.',
'source_name': 'ExchangePowerShell Module',
'url': 'https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes'},
{'description': 'Microsoft. (2023, September 22). '
'Malicious OAuth applications abuse '
'cloud email services to spread spam. '
'Retrieved March 13, 2023.',
'source_name': 'Microsoft OAuth Spam 2022',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/'}],
'id': 'attack-pattern--438c967d-3996-4870-bfc2-3954752a1927',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T21:56:59.810Z',
'name': 'Clear Mailbox Data',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Liran Ravich, CardinalOps'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Office Suite', 'Windows'],
'x_mitre_version': '1.2'}