Detect Clear Mailbox Data in Microsoft Sentinel
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Adversaries may use Exchange PowerShell cmdlets (e.g., Remove-MailboxExportRequest, Search-Mailbox with DeleteContent), O365/Graph API calls, or command-line mail utilities on Linux/macOS to delete emails, purge Deleted Items, remove sent items, wipe transport rules, or remove export request logs. This covers tracks from phishing delivery, internal spearphishing, email-based C2, and email exfiltration.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.008 Clear Mailbox Data
- Canonical reference
- https://attack.mitre.org/techniques/T1070/008/
KQL Detection Query
let SuspiciousMailboxCmdlets = dynamic([
"Remove-MailboxExportRequest",
"Remove-MailboxImportRequest",
"Search-Mailbox",
"New-ComplianceSearchAction",
"Remove-MoveRequest",
"Set-MailboxMessageConfiguration",
"New-TransportRule",
"Remove-TransportRule",
"Set-TransportRule",
"Disable-TransportRule",
"Remove-InboxRule",
"New-InboxRule",
"Set-InboxRule",
"Remove-RecoverableItemsCleanup"
]);
let DeleteContentPatterns = dynamic([
"-DeleteContent",
"-PurgeType HardDelete",
"-PurgeType SoftDelete",
"DeleteContent",
"HardDelete"
]);
// Branch 1: Exchange PowerShell cmdlets for mailbox manipulation
let ExchangePowerShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (SuspiciousMailboxCmdlets)
| extend DetectionType = "ExchangePowerShell_MailboxManipulation"
| extend HasDeleteContent = ProcessCommandLine has_any (DeleteContentPatterns)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, HasDeleteContent;
// Branch 2: Office 365 Unified Audit Log - mailbox purge/delete operations
let O365MailboxDelete = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in (
"HardDelete",
"SoftDelete",
"MoveToDeletedItems",
"FolderBind",
"SendAs",
"MailboxLogin"
)
and Operation in ("HardDelete", "SoftDelete")
| extend DetectionType = "O365_MailboxItemDeletion"
| extend HasDeleteContent = true
| project TimeGenerated, UserId, Operation, ClientIP, MailboxOwnerUPN,
OfficeObjectId, ResultStatus, DetectionType, HasDeleteContent;
// Branch 3: Bulk or suspicious deletions in Exchange audit logs
let ExchangeAuditBulk = OfficeActivity
| where TimeGenerated > ago(24h)
| where RecordType == "ExchangeAdmin"
| where Operation in (
"Remove-MailboxExportRequest",
"Search-Mailbox",
"Remove-TransportRule",
"Disable-TransportRule",
"New-TransportRule",
"Remove-InboxRule",
"Set-InboxRule"
)
| extend DetectionType = "ExchangeAdmin_MailboxCoverage"
| extend HasDeleteContent = Operation has_any (DeleteContentPatterns)
| project TimeGenerated, UserId, Operation, ClientIP, ResultStatus,
Parameters, DetectionType, HasDeleteContent;
ExchangePowerShell
| union kind=outer (
O365MailboxDelete
| project Timestamp=TimeGenerated, DeviceName=UserId, AccountName=UserId,
FileName=Operation, ProcessCommandLine=OfficeObjectId,
InitiatingProcessFileName=ClientIP, InitiatingProcessCommandLine=MailboxOwnerUPN,
DetectionType, HasDeleteContent
)
| union kind=outer (
ExchangeAuditBulk
| project Timestamp=TimeGenerated, DeviceName=UserId, AccountName=UserId,
FileName=Operation, ProcessCommandLine=tostring(Parameters),
InitiatingProcessFileName=ClientIP, InitiatingProcessCommandLine=ResultStatus,
DetectionType, HasDeleteContent
)
| sort by Timestamp descDetects adversarial mailbox data clearing across three vectors: (1) Exchange PowerShell cmdlets that delete or purge mailbox content or remove export/transport rules via DeviceProcessEvents, (2) Office 365 Unified Audit Log HardDelete and SoftDelete operations indicating individual email purging, and (3) Exchange Admin audit events for transport rule manipulation, inbox rule changes, and Search-Mailbox with DeleteContent. Covers both on-premises Exchange and Exchange Online scenarios.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Exchange administrators running Remove-MailboxExportRequest to clean up completed export jobs as part of routine mailbox management
- Compliance officers using Search-Mailbox -DeleteContent for approved legal hold or eDiscovery purge operations following documented procedures
- Automated retention policy enforcement systems (MRM/MFA policies) triggering HardDelete or SoftDelete operations in bulk across user mailboxes
- Help desk staff using Remove-InboxRule or Set-InboxRule to clean up spam filter rules or misconfigured user inbox rules
Other platforms for T1070.008
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Remove Mailbox Export Request via Exchange PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Remove-MailboxExportRequest'. Office 365 Unified Audit Log: RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest followed by Remove-MailboxExportRequest from same UserId. Exchange Admin Audit Log entries for both operations. PowerShell ScriptBlock Log (Event ID 4104) with full cmdlet invocation.
- Test 2Search-Mailbox with DeleteContent to Purge Emails
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Search-Mailbox' and '-DeleteContent'. Windows Security Event ID 4688 (if enabled) with same details. PowerShell ScriptBlock Log (Event ID 4104) capturing full cmdlet with all parameters. Exchange Admin Audit Log entry with full command details.
- Test 3Create Suppression Transport Rule to Delete Security Notifications
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'New-TransportRule' and 'DeleteMessage'. Office 365 Unified Audit Log / Exchange Admin Audit Log: RecordType=ExchangeAdmin, Operation=New-TransportRule with full rule parameters. PowerShell ScriptBlock Log (Event ID 4104) with complete rule definition including -DeleteMessage flag.
- Test 4Delete Emails via Linux mail Command
Expected signal: Linux auditd: execve syscall for 'mail' binary with arguments containing 'd' (delete) flag. Syslog: process invocation of /usr/bin/mail or /bin/mail. If Sysmon for Linux is deployed: ProcessCreate event with Image=/usr/bin/mail and CommandLine containing delete arguments.
- Test 5Remove Inbox Rule to Cover Tracks After Rule-Based Exfiltration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Remove-InboxRule'. Exchange Admin Audit Log and O365 Unified Audit Log: Operations New-InboxRule then Remove-InboxRule from same account. PowerShell ScriptBlock Log (Event ID 4104) capturing both rule creation and removal. If alerting on New-InboxRule, the forwarding rule creation would also trigger separately.
References (13)
- https://attack.mitre.org/techniques/T1070/008/
- https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
- https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
- https://man7.org/linux/man-pages/man1/mailx.1p.html
- https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://www.mandiant.com/resources/blog/apt42-charms-cons-and-compromises
- https://www.welivesecurity.com/en/eset-research/to-the-moon-and-back-s-lunar-landing-in-diplomatic-missions/
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules
- https://learn.microsoft.com/en-us/powershell/module/exchange/remove-mailboxexportrequest
- https://learn.microsoft.com/en-us/powershell/module/exchange/search-mailbox
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md
Unlock Pro Content
Get the full detection package for T1070.008 including response playbook, investigation guide, and atomic red team tests.