topic Re: How to Get all Recipients of an email message with EWS O365 Integration Query in Cortex XSOAR Discussions

How to Get all Recipients of an email message with EWS O365 Integration Query

xdrengineer — Thu, 26 Jun 2025 13:46:54 GMT

Hello,

I am integrating XSOAR with EWS O365, and I am building a phishing PB, that starts with query based on subject of an email, in order to get the item-id of that email message and also the recipients of that email to take action on each of them.

The problem is that, when I run the search based on the subject using !ews-search-mailbox query="Subject:<anything here>", I expect to ge the full list of recipients, alongside the other fields, like sender, item-id, ...etc.

But in fact I get a result that is limited only to the emails where the "to" OR "cc" is the email-id that is used in the configuration of the connector. -The connector uses App ID, Token, and Email ID-.

How can I get the full list of recipient of specific email with the !ews-search-mailbox based on Subject please.

Re: How to Get all Recipients of an email message with EWS O365 Integration Query

A.Elzedy — Fri, 27 Jun 2025 11:00:10 GMT

Hi @xdrengineer

Microsoft has deprecated the ApplicationImpersonation access type as of February 2025, making the traditional EWS approach increasingly problematic for organization-wide searches.

Reference: EWS O365 Integration Documentation

The issue you're encountering is a fundamental access restriction in how the EWS O365 integration operates. When you execute !ews-search-mailbox query="Subject:<anything here>", the integration can only return emails from mailboxes where the configured service account has explicit access permissions.

Simply:

Your search results are limited to emails where the configured Email ID appears in the "To" or "CC" fields
You cannot retrieve the complete recipient list for emails across other mailboxes in your organization

The EWS integration requires specific mailbox-level permissions to access each user's emails. Even with full_access_as_app permissions and the ApplicationImpersonation role, the integration can only search mailboxes where access has been explicitly granted through Application Access Policies.

Re: How to Get all Recipients of an email message with EWS O365 Integration Query

A.Elzedy — Fri, 27 Jun 2025 11:16:25 GMT

Here are some options/alternatives:

Option 1: Exchange Message Logs with XQL Queries

You could be ingesting Exchange message logs into your siem and run XQL queries to search by subject across all organizational email traffic. So you can get a complete historical visibility without API permission constraints

Option 2: Alternative PowerShell Command

Switch to EWS Extension Online PowerShell v3 integration with !ews-message-trace-get commands for organization-wide searches. This approach will bypass individual mailbox permission requirements.

Option 3: Microsoft Graph API Integration

Switch to the O365 Outlook Mail (Using Graph API) integration with organizational scope. This is Microsoft's preferred direction for email automation workflows.

Re: How to Get all Recipients of an email message with EWS O365 Integration Query

xdrengineer — Tue, 01 Jul 2025 07:23:41 GMT

Hello @A.Elzedy,

Thanks for your responses,

I am looking at the shared alternate solutions you provided!

I am not sure what is the difference if I use O365 Outlook Mail (Using Graph API), instead of EWS O365 from permission point?

More over the commands mentioned in the document of the shared link of O365 Outlook Mail (Using Graph API) is not there on the Microsoft Graph API App from market place.

Can you please clarify what I may have missed here!

Re: How to Get all Recipients of an email message with EWS O365 Integration Query

A.Elzedy — Tue, 16 Sep 2025 17:20:46 GMT

Well, the key advantage of Microsoft Graph. It offers highly granular permissions. Instead of a blanket "full access," you can grant an application specific permissions like Mail.Read (read mail), Mail.ReadWrite (read and write mail), Mail.Send (send mail), and importantly, Mail.Read.Shared (read shared mailboxes) or Mail.ReadBasic.All (read basic mail for all users) and Mail.Read.All (read all mail for all users) when granted as application permissions. This means you can scope down exactly what your integration can do.

for your second question, it's available here

https://xsoar.pan.dev/docs/reference/integrations/ews-extension-online-powershell-v3#ews-message-trace-get