Clear Email Artifacts

The subject removes one or more auto-forwarding rules from their email configuration to obscure prior message redirection to internal or external recipients. These rules, when active, silently transmit inbound emails, including attachments, proprietary data, or sensitive internal correspondence, to alternate mailboxes, often controlled or accessible by the subject. Deletion is typically performed to disrupt investigative reconstruction, eliminate configuration evidence, and frustrate detection of unauthorized forwarding behavior.

The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment.

The subject deletes one or more inbox rules from their email client or server mailbox configuration to conceal the prior existence of automated message handling behaviors. Unlike auto-forwarding rules, which redirect messages externally, inbox rules typically perform local actions such as moving messages to folders, deleting them upon receipt, or marking them as read.

Deleted rules can complicate retrospective investigations by eliminating a clear audit trail of how emails were processed, hidden, or discarded during an investigation's timeframe.

A subject intentionally deletes a shared mailbox that has been used for illegitimate activity - such as Exfiltration via Corporate Email, distribution of unsolicited bulk messages, or staging of sensitive data - with the purpose of denying access to investigators.