title: Clear Mailbox Data (T1070.008)
id: df00tech-t1070-008
status: experimental
description: "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Adversaries may use Exchange PowerShell cmdlets (e.g., Remove-MailboxExportRequest, Search-Mailbox with DeleteContent), O365/Graph API calls, or command-line mail utilities on Linux/macOS to delete emails, purge Deleted Items, remove sent items, wipe transport rules, or remove export request logs. This covers tracks from phishing delivery, internal spearphishing, email-based C2, and email exfiltration."
references:
  - https://attack.mitre.org/techniques/T1070/008/
  - https://df00tech.com/detections/T1070.008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Exchange administrators running Remove-MailboxExportRequest to clean up completed export jobs as part of routine mailbox management
  - Compliance officers using Search-Mailbox -DeleteContent for approved legal hold or eDiscovery purge operations following documented procedures
  - Automated retention policy enforcement systems (MRM/MFA policies) triggering HardDelete or SoftDelete operations in bulk across user mailboxes
  - Help desk staff using Remove-InboxRule or Set-InboxRule to clean up spam filter rules or misconfigured user inbox rules
level: high