06-26-2025 06:46 AM
Hello,
I am integrating XSOAR with EWS O365, and I am building a phishing PB, that starts with query based on subject of an email, in order to get the item-id of that email message and also the recipients of that email to take action on each of them.
The problem is that, when I run the search based on the subject using !ews-search-mailbox query="Subject:<anything here>", I expect to ge the full list of recipients, alongside the other fields, like sender, item-id, ...etc.
But in fact I get a result that is limited only to the emails where the "to" OR "cc" is the email-id that is used in the configuration of the connector. -The connector uses App ID, Token, and Email ID-.
How can I get the full list of recipient of specific email with the !ews-search-mailbox based on Subject please.
06-27-2025 04:00 AM
Hi @xdrengineer
Microsoft has deprecated the ApplicationImpersonation access type as of February 2025, making the traditional EWS approach increasingly problematic for organization-wide searches.
Reference: EWS O365 Integration Documentation
The issue you're encountering is a fundamental access restriction in how the EWS O365 integration operates. When you execute !ews-search-mailbox query="Subject:<anything here>", the integration can only return emails from mailboxes where the configured service account has explicit access permissions.
Simply:
The EWS integration requires specific mailbox-level permissions to access each user's emails. Even with full_access_as_app permissions and the ApplicationImpersonation role, the integration can only search mailboxes where access has been explicitly granted through Application Access Policies.
06-27-2025 04:10 AM - edited 06-27-2025 04:16 AM
Here are some options/alternatives:
Option 1: Exchange Message Logs with XQL Queries
You could be ingesting Exchange message logs into your siem and run XQL queries to search by subject across all organizational email traffic. So you can get a complete historical visibility without API permission constraints
Option 2: Alternative PowerShell Command
Switch to EWS Extension Online PowerShell v3 integration with !ews-message-trace-get commands for organization-wide searches. This approach will bypass individual mailbox permission requirements.
Option 3: Microsoft Graph API Integration
Switch to the O365 Outlook Mail (Using Graph API) integration with organizational scope. This is Microsoft's preferred direction for email automation workflows.
07-01-2025 12:22 AM - edited 07-01-2025 12:23 AM
Hello @A.Elzedy,
Thanks for your responses,
I am looking at the shared alternate solutions you provided!
I am not sure what is the difference if I use O365 Outlook Mail (Using Graph API), instead of EWS O365 from permission point?
More over the commands mentioned in the document of the shared link of O365 Outlook Mail (Using Graph API) is not there on the Microsoft Graph API App from market place.
Can you please clarify what I may have missed here!
07-01-2025 06:16 AM
Well, the key advantage of Microsoft Graph. It offers highly granular permissions. Instead of a blanket "full access," you can grant an application specific permissions like Mail.Read (read mail), Mail.ReadWrite (read and write mail), Mail.Send (send mail), and importantly, Mail.Read.Shared (read shared mailboxes) or Mail.ReadBasic.All (read basic mail for all users) and Mail.Read.All (read all mail for all users) when granted as application permissions. This means you can scope down exactly what your integration can do.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
