Threat Actors may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.