AN0738: Analytic 0738
Detects the use of mail utilities like `mail` or `mailx` to delete mailbox content, or file-level deletion of inbox files from `/var/spool/mail/` or `/var/mail/` following suspicious sessions.
Analyst context for executives and security teams
This analytic matters because deletion of local Linux mailbox content can remove evidence of account activity, alerts, or operational messages that incident responders and administrators may need during an investigation. For leaders, the practical question is whether Linux server mail artifacts are being retained, monitored, and protected well enough to support incident response and audit reconstruction when suspicious sessions occur.
Executive priority
Prioritize this as an evidence-integrity and incident-readiness issue for Linux environments that use local mail spools. Security leaders should ask whether SOC and IR teams can see mailbox deletion activity, correlate it to suspicious sessions, and preserve relevant logs before they are lost. The business value is strongest where local system mail is used for administrative notifications, job output, or security-relevant messages.
Technical view
Validate monitoring for Linux processes invoking mail utilities such as mail or mailx in ways associated with mailbox content deletion, and for file-level deletion affecting inbox locations under /var/spool/mail/ or /var/mail/. Because the ATT&CK object provides no tactic mapping, no detection logic, and no relationship context, teams should treat this as a detection validation prompt rather than a complete rule. Correlation should focus on whether deletion follows a suspicious session and whether the user, host, and mailbox path are expected for that environment.
Likely telemetry
- Linux process execution telemetry, including command line where available
- File deletion or file modification telemetry for /var/spool/mail/ and /var/mail/
- Authentication and session records for Linux hosts
- Shell history or terminal/session auditing where collected
- Host audit logs that can associate users, processes, and affected mailbox files
Detection direction
- Confirm whether endpoint or Linux audit telemetry captures mail/mailx execution with sufficient command-line detail.
- Confirm whether deletion or truncation of files in /var/spool/mail/ and /var/mail/ is visible and retained.
- Correlate mailbox deletion events with suspicious sessions rather than alerting on all mail utility use, since legitimate administration or user cleanup may occur.
- Tune by expected server role, mailbox usage, service accounts, and administrative maintenance patterns.
- Account for blind spots where local mail is not monitored, command lines are not captured, file deletion telemetry is absent, or logs are lost from the same host being investigated.
Mitigation priorities
- Preserve and centralize Linux authentication, process, and file activity logs so mailbox deletion evidence is not only stored locally.
- Restrict administrative access to systems and mailbox paths based on role and operational need.
- Review whether local system mail contains security- or operations-relevant evidence and define retention expectations accordingly.
- Include /var/spool/mail/ and /var/mail/ in incident response evidence collection procedures where applicable.
- Test detection and triage workflows in representative Linux environments before relying on this analytic for coverage claims.
Analyst notes and limits
The supplied object is a detection analytic for Linux focused on mail/mailx mailbox content deletion or deletion of inbox files under common local mail spool paths after suspicious sessions. No ATT&CK tactics, related techniques, procedure examples, or formal detection logic were supplied, so the strongest use is as a coverage gap and validation checklist for Linux host monitoring and IR evidence preservation.
This take is limited to the official STIX fields, external reference, and the absence of relationship context. It does not establish adversary attribution, active exploitation, business impact, or guaranteed detection. Local environment evidence is required to determine whether local mailbox files exist, whether they contain material evidence, and whether current telemetry can reliably detect deletion activity.
Analytic 0738
Detects the use of mail utilities like `mail` or `mailx` to delete mailbox content, or file-level deletion of inbox files from `/var/spool/mail/` or `/var/mail/` following suspicious sessions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ea8b279bf657… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0738Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.