T1070.008

Clear Mailbox Data

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Adversaries may use Exchange PowerShell cmdlets (e.g., Remove-MailboxExportRequest, Search-Mailbox with DeleteContent), O365/Graph API calls, or command-line mail utilities on Linux/macOS to delete emails, purge Deleted Items, remove sent items, wipe transport rules, or remove export request logs. This covers tracks from phishing delivery, internal spearphishing, email-based C2, and email exfiltration.

Microsoft Sentinel / Defender

kusto

let SuspiciousMailboxCmdlets = dynamic([
  "Remove-MailboxExportRequest",
  "Remove-MailboxImportRequest",
  "Search-Mailbox",
  "New-ComplianceSearchAction",
  "Remove-MoveRequest",
  "Set-MailboxMessageConfiguration",
  "New-TransportRule",
  "Remove-TransportRule",
  "Set-TransportRule",
  "Disable-TransportRule",
  "Remove-InboxRule",
  "New-InboxRule",
  "Set-InboxRule",
  "Remove-RecoverableItemsCleanup"
]);
let DeleteContentPatterns = dynamic([
  "-DeleteContent",
  "-PurgeType HardDelete",
  "-PurgeType SoftDelete",
  "DeleteContent",
  "HardDelete"
]);
// Branch 1: Exchange PowerShell cmdlets for mailbox manipulation
let ExchangePowerShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (SuspiciousMailboxCmdlets)
| extend DetectionType = "ExchangePowerShell_MailboxManipulation"
| extend HasDeleteContent = ProcessCommandLine has_any (DeleteContentPatterns)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType, HasDeleteContent;
// Branch 2: Office 365 Unified Audit Log - mailbox purge/delete operations
let O365MailboxDelete = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in (
    "HardDelete",
    "SoftDelete",
    "MoveToDeletedItems",
    "FolderBind",
    "SendAs",
    "MailboxLogin"
  )
  and Operation in ("HardDelete", "SoftDelete")
| extend DetectionType = "O365_MailboxItemDeletion"
| extend HasDeleteContent = true
| project TimeGenerated, UserId, Operation, ClientIP, MailboxOwnerUPN,
          OfficeObjectId, ResultStatus, DetectionType, HasDeleteContent;
// Branch 3: Bulk or suspicious deletions in Exchange audit logs
let ExchangeAuditBulk = OfficeActivity
| where TimeGenerated > ago(24h)
| where RecordType == "ExchangeAdmin"
| where Operation in (
    "Remove-MailboxExportRequest",
    "Search-Mailbox",
    "Remove-TransportRule",
    "Disable-TransportRule",
    "New-TransportRule",
    "Remove-InboxRule",
    "Set-InboxRule"
  )
| extend DetectionType = "ExchangeAdmin_MailboxCoverage"
| extend HasDeleteContent = Operation has_any (DeleteContentPatterns)
| project TimeGenerated, UserId, Operation, ClientIP, ResultStatus,
          Parameters, DetectionType, HasDeleteContent;
ExchangePowerShell
| union kind=outer (
  O365MailboxDelete
  | project Timestamp=TimeGenerated, DeviceName=UserId, AccountName=UserId,
            FileName=Operation, ProcessCommandLine=OfficeObjectId,
            InitiatingProcessFileName=ClientIP, InitiatingProcessCommandLine=MailboxOwnerUPN,
            DetectionType, HasDeleteContent
)
| union kind=outer (
  ExchangeAuditBulk
  | project Timestamp=TimeGenerated, DeviceName=UserId, AccountName=UserId,
            FileName=Operation, ProcessCommandLine=tostring(Parameters),
            InitiatingProcessFileName=ClientIP, InitiatingProcessCommandLine=ResultStatus,
            DetectionType, HasDeleteContent
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Application Log: Application Log Content Microsoft Defender for Endpoint: DeviceProcessEvents Office 365 Unified Audit Log: OfficeActivity Exchange Admin Audit Log

Required Tables

DeviceProcessEvents OfficeActivity

False Positives

Legitimate Exchange administrators running Remove-MailboxExportRequest to clean up completed export jobs as part of routine mailbox management
Compliance officers using Search-Mailbox -DeleteContent for approved legal hold or eDiscovery purge operations following documented procedures
Automated retention policy enforcement systems (MRM/MFA policies) triggering HardDelete or SoftDelete operations in bulk across user mailboxes
Help desk staff using Remove-InboxRule or Set-InboxRule to clean up spam filter rules or misconfigured user inbox rules

Splunk

spl

( sourcetype="WinEventLog:Security" EventCode=4688 ) OR
( sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 )
| eval CommandLine=coalesce(CommandLine, Process_Command_Line, NewProcessName)
| eval Image=coalesce(Image, NewProcessName, ParentProcessName)
| where (Image LIKE "%powershell.exe" OR Image LIKE "%pwsh.exe")
| eval CmdLower=lower(CommandLine)
| eval RemoveExportReq=if(match(CmdLower, "remove-mailboxexportrequest"), 1, 0)
| eval SearchMailboxDelete=if(match(CmdLower, "search-mailbox") AND match(CmdLower, "-deletecontent"), 1, 0)
| eval RemoveTransportRule=if(match(CmdLower, "(remove-transportrule|disable-transportrule|new-transportrule)"), 1, 0)
| eval InboxRuleManip=if(match(CmdLower, "(remove-inboxrule|set-inboxrule|new-inboxrule)"), 1, 0)
| eval PurgeContent=if(match(CmdLower, "(-purgetype\s+harddelete|-purgetype\s+softdelete|harddelete|purgeallitems)"), 1, 0)
| eval RemoveMoveRequest=if(match(CmdLower, "remove-moverequest"), 1, 0)
| eval NewComplianceSearch=if(match(CmdLower, "(new-compliancesearchaction|remove-compliancesearch)"), 1, 0)
| eval SuspicionScore=RemoveExportReq + SearchMailboxDelete + RemoveTransportRule + InboxRuleManip + PurgeContent + RemoveMoveRequest + NewComplianceSearch
| where SuspicionScore > 0
| eval User=coalesce(User, SubjectUserName, user)
| eval host=coalesce(host, ComputerName)
| table _time, host, User, Image, CommandLine, RemoveExportReq, SearchMailboxDelete, RemoveTransportRule, InboxRuleManip, PurgeContent, RemoveMoveRequest, NewComplianceSearch, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Exchange administrators running scheduled cleanup scripts that invoke Remove-MailboxExportRequest on completed jobs
Compliance team running Search-Mailbox -DeleteContent as part of approved legal hold or data subject access request workflows
IT automation or runbooks using Remove-InboxRule to remove organization-wide malicious inbox rules after an incident
Retention policy automation using compliance search actions to enforce data lifecycle management

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Process CommandLine" AS command_line,
  "Process Name" AS process_name,
  devicehostname AS hostname,
  LOGSOURCENAME(deviceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID(deviceid) IN (12, 13, 352)
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process CommandLine") LIKE '%remove-mailboxexportrequest%'
    OR LOWER("Process CommandLine") LIKE '%remove-mailboximportrequest%'
    OR (LOWER("Process CommandLine") LIKE '%search-mailbox%' AND LOWER("Process CommandLine") LIKE '%-deletecontent%')
    OR LOWER("Process CommandLine") LIKE '%remove-transportrule%'
    OR LOWER("Process CommandLine") LIKE '%disable-transportrule%'
    OR LOWER("Process CommandLine") LIKE '%new-transportrule%'
    OR LOWER("Process CommandLine") LIKE '%remove-inboxrule%'
    OR LOWER("Process CommandLine") LIKE '%set-inboxrule%'
    OR LOWER("Process CommandLine") LIKE '%new-inboxrule%'
    OR LOWER("Process CommandLine") LIKE '%new-compliancesearchaction%'
    OR LOWER("Process CommandLine") LIKE '%remove-moverequest%'
    OR LOWER("Process CommandLine") LIKE '%-purgetype harddelete%'
    OR LOWER("Process CommandLine") LIKE '%-purgetype softdelete%'
    OR LOWER("Process CommandLine") LIKE '%remove-recoverableitemscleanup%'
  )
  AND LOWER("Process Name") IN ('powershell.exe', 'pwsh.exe')
ORDER BY starttime DESC

high severity high confidence

Data Sources

Windows Security Audit Log (EventID 4688) Sysmon Process Create events Microsoft Windows DSM (QRadar Windows log source)

Required Tables

events

False Positives

Scheduled Exchange maintenance scripts run by Exchange administrators during off-hours for export request cleanup
Automated compliance workflows that perform mailbox searches with deletion as part of GDPR or data retention enforcement
Helpdesk or O365 admin onboarding/offboarding runbooks that remove inbox rules and transport rules during account lifecycle management

Sumo Logic CSE

sql

(_sourceCategory="Windows/EventLogs" OR _sourceCategory="endpoint/windows/sysmon")
| where EventID in ("4688", "1")
| parse field=CommandLine "*" as cmd
| eval cmd_lower = toLowerCase(cmd)
| where Image matches "*powershell.exe" OR Image matches "*pwsh.exe"
| eval remove_export     = if(cmd_lower matches "*remove-mailboxexportrequest*", 1, 0)
| eval search_delete     = if(cmd_lower matches "*search-mailbox*" AND cmd_lower matches "*-deletecontent*", 1, 0)
| eval remove_transport  = if(cmd_lower matches "*remove-transportrule*" OR cmd_lower matches "*disable-transportrule*" OR cmd_lower matches "*new-transportrule*", 1, 0)
| eval inbox_rule_manip  = if(cmd_lower matches "*remove-inboxrule*" OR cmd_lower matches "*set-inboxrule*" OR cmd_lower matches "*new-inboxrule*", 1, 0)
| eval purge_content     = if(cmd_lower matches "*-purgetype harddelete*" OR cmd_lower matches "*-purgetype softdelete*" OR cmd_lower matches "*purgeallitems*", 1, 0)
| eval remove_move_req   = if(cmd_lower matches "*remove-moverequest*", 1, 0)
| eval compliance_search = if(cmd_lower matches "*new-compliancesearchaction*" OR cmd_lower matches "*remove-compliancesearch*", 1, 0)
| eval recoverable_clean = if(cmd_lower matches "*remove-recoverableitemscleanup*", 1, 0)
| eval suspicion_score = remove_export + search_delete + remove_transport + inbox_rule_manip + purge_content + remove_move_req + compliance_search + recoverable_clean
| where suspicion_score > 0
| fields _messageTime, hostname, User, Image, cmd, remove_export, search_delete, remove_transport, inbox_rule_manip, purge_content, remove_move_req, compliance_search, recoverable_clean, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log (EventID 4688) Sysmon Process Creation (EventID 1) Windows endpoint telemetry via Sumo Logic collector

Required Tables

Windows/EventLogs source category endpoint/windows/sysmon source category

False Positives

IT automation pipelines that clean up stale mailbox export requests after successful archive migrations or PST exports
Security operations center workflows using Search-Mailbox -DeleteContent under formal legal hold release or data subject access request fulfillment
Exchange hybrid migration scripts that remove move requests and reconfigure transport rules as part of batch cutover operations

Google Chronicle / SecOps

yaral

rule t1070_008_clear_mailbox_data {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversary use of Exchange PowerShell cmdlets to clear mailbox data and destroy forensic evidence. Covers Remove-MailboxExportRequest, Search-Mailbox -DeleteContent, transport rule manipulation, inbox rule abuse, and purge-type hard-delete operations consistent with T1070.008."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.008"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1070/008/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe)$/
    (
      $e.target.process.command_line = /(?i)Remove-MailboxExportRequest/
      or $e.target.process.command_line = /(?i)Remove-MailboxImportRequest/
      or ($e.target.process.command_line = /(?i)Search-Mailbox/ and $e.target.process.command_line = /(?i)-DeleteContent/)
      or $e.target.process.command_line = /(?i)Remove-TransportRule/
      or $e.target.process.command_line = /(?i)Disable-TransportRule/
      or $e.target.process.command_line = /(?i)New-TransportRule/
      or $e.target.process.command_line = /(?i)Remove-InboxRule/
      or $e.target.process.command_line = /(?i)Set-InboxRule/
      or $e.target.process.command_line = /(?i)New-InboxRule/
      or $e.target.process.command_line = /(?i)New-ComplianceSearchAction/
      or $e.target.process.command_line = /(?i)Remove-MoveRequest/
      or $e.target.process.command_line = /(?i)-PurgeType\s+HardDelete/
      or $e.target.process.command_line = /(?i)-PurgeType\s+SoftDelete/
      or $e.target.process.command_line = /(?i)Remove-RecoverableItemsCleanup/
      or $e.target.process.command_line = /(?i)Set-MailboxMessageConfiguration/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows endpoint telemetry forwarded to Chronicle via Bindplane or Chronicle forwarder Google Workspace/Microsoft 365 audit logs normalized to UDM EDR process telemetry

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Exchange Online migration projects where administrators routinely use Remove-MoveRequest and New-TransportRule as part of tenant-to-tenant migration runbooks
Scheduled compliance automation that invokes New-ComplianceSearchAction to enforce data retention policies with approved deletion workflows
Managed service provider scripts that reset inbox rules during bulk user onboarding or offboarding as part of Exchange account lifecycle management

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(Remove-MailboxExportRequest|Remove-MailboxImportRequest|Remove-TransportRule|Disable-TransportRule|New-TransportRule|Remove-InboxRule|Set-InboxRule|New-InboxRule|New-ComplianceSearchAction|Remove-MoveRequest|Remove-RecoverableItemsCleanup|Set-MailboxMessageConfiguration|-PurgeType\s+(Hard|Soft)Delete|Search-Mailbox.*-DeleteContent)/
| eval remove_export = if(CommandLine = /(?i)Remove-MailboxExportRequest/, 1, 0)
| eval search_delete = if(CommandLine = /(?i)Search-Mailbox/ AND CommandLine = /(?i)-DeleteContent/, 1, 0)
| eval transport_manip = if(CommandLine = /(?i)(Remove-TransportRule|Disable-TransportRule|New-TransportRule)/, 1, 0)
| eval inbox_manip = if(CommandLine = /(?i)(Remove-InboxRule|Set-InboxRule|New-InboxRule)/, 1, 0)
| eval purge_hard = if(CommandLine = /(?i)-PurgeType\s+HardDelete/, 1, 0)
| eval purge_soft = if(CommandLine = /(?i)-PurgeType\s+SoftDelete/, 1, 0)
| eval compliance_del = if(CommandLine = /(?i)(New-ComplianceSearchAction|Remove-ComplianceSearch)/, 1, 0)
| eval recoverable_wipe = if(CommandLine = /(?i)Remove-RecoverableItemsCleanup/, 1, 0)
| eval suspicion_score = remove_export + search_delete + transport_manip + inbox_manip + purge_hard + purge_soft + compliance_del + recoverable_wipe
| where suspicion_score > 0
| groupBy([ComputerName, UserName, CommandLine], function=[count(as=event_count), max(suspicion_score, as=max_score), min(@timestamp, as=first_seen), max(@timestamp, as=last_seen)])
| sort(max_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR ProcessRollup2 events Falcon sensor process telemetry on Exchange/management hosts

Required Tables

ProcessRollup2 event stream

False Positives

Exchange hybrid configuration scripts that run Remove-MoveRequest and configure transport rules during on-premises to Exchange Online migrations
Automated IT runbooks triggered by ITSM ticketing systems for account deprovisioning that clean inbox rules via PowerShell as part of offboarding
Third-party email security tools (Proofpoint, Mimecast) that provision and deprovision transport rules via PowerShell API wrappers during policy synchronization

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1070.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Clear Mailbox Data

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections