Hi all,
is there a way to integrate with O365 and, given a malicious email (identified by subject and sender), search for it in all the mailboxes of all the users and then delete it?
I was looking for an action in the "EWS for Office 365 App" and in "MS Graph for Office 365" but I do not see any action able to do that. For instance, the "run query" actions require a precise mailbox to look into.
Thank you in advance.
@drew19 if you can get the message id of the email from ANY inbox then you can just use the `delete email` action in the EWS app.
The message id is usually on the original email but depending how you report phishing you may not get the original id through so could run a query on 1 user's mailbox to find the id then pass into the delete action and as long as impersonation rights are there, AFAIK i should then delete all messages with that id in all mailboxes.
Happy SOARing
----- If this helped fix it please mark as a solution to help others in the future -----
Hi @phanTom,
did you miss the last answer? Is there a way to understand if and how could we get all the email IDs related to a specific email (e.g. given a subject and a sender or pivoting on other elements - which ones in that case?).
Thank you in advance.
Andrea
Hi @phanTom ,
thank you for your reply.
This is not answering our question, so let me try to write it better.
Our target usecase is to:
1) Find all the users who have received an email with a particular subject/sender/string in the body and retrieving the related email IDs;
2) Delete such emails.
The (most important) point that seems not possible for now is the first one since when using the "run query" action from Exchange App you are required to specify the input field "email" that is the "User Mailbox to search in".
For this reason, we do not see any app/action for Phantom that could help us retrieving such IDs. Is there a way to do that?