Description
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
AuditM1047
In an Exchange environment, Administrators can use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.(Citation: Microsoft Manage Mail Flow Rules 2023)
Remote Data StorageM1029
Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has deleted login notification emails and has cleared the Sent folder to cover their tracks.(Citation: ... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has manually deleted emails notifying users of suspicious account activity. (Citation: Crow... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1142 | LunarMail | Malware | [LunarMail](https://attack.mitre.org/software/S1142) can set the `PR_DELETE_AFTER_SUBMIT` flag to delete messages sent for data exfiltration.(Citation... |
| S0477 | Goopy | Malware | [Goopy](https://attack.mitre.org/software/S0477) has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason C... |
References
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022.
- Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.
- Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.
Frequently Asked Questions
What is T1070.008 (Clear Mailbox Data)?
T1070.008 is a MITRE ATT&CK technique named 'Clear Mailbox Data'. It belongs to the Stealth tactic(s). Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools o...
How can T1070.008 be detected?
Detection of T1070.008 (Clear Mailbox Data) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.008?
There are 3 documented mitigations for T1070.008. Key mitigations include: Restrict File and Directory Permissions, Audit, Remote Data Storage.
Which threat groups use T1070.008?
Known threat groups using T1070.008 include: APT42, Scattered Spider.