Outlook Graph
Sometimes the technique used in the Outlook Web module just doesn't work to open the Outlook Web page using an outlook access token. In that case, you can use an access token for the MsGraph API (https://graph.microsoft.com) with the Mail.Read(Write) claim to access the mailbox of the user with the Outlook Graph module.
The module functionality is fairly self-explanatory. To get started, simply select an MsGraph access token and click the reload button to fetch all the emails of the user's Inbox folder. Unread emails will have a blue background.
To read an email, just select it and the content will load in the right pane. If there are any attachments in the email, they will be listed below the email where they are available for download. Emails with attachments will also have an attachment icon in the overview.
Note that just clicking on an email will not mark it as read, so you don't have to worry about the user noticing you reading their unread emails. If you really want though, you can mark an email as read/unread manually using the dedicated button above the email. This is also where you can delete emails. The regular Delete button will already hide the emails fairly well, however, users can recover them using the "Recover recently deleted emails" button from their Deleted items folder (they will not be directly visible in this folder by default). The Permanent Delete button deletes the emails in a way that only an administrator would be able to recover the email for the user.
You can list the emails in other folders as well by opening the dropdown. All folders which exist in the mailbox of the user will automatically be fetched, however, if you switched access tokens, you can use the reload icon next to the folder input to fetch the folders again with the current access token. Next to the folder name, the amount of unread emails, as well as the total amount of emails will be listed. (e.g. In the following screenshot, the Inbox folder has 992 total emails, of which 3 are unread).
To view the full raw email details with all metadata and fields in JSON format, you can click on one of the info icons (i) next to the email subject in the email list pane.
The Limit input defines the amount of emails to fetch at once. The MsGraph API is limited to a maximum of 1000 emails per request, although if you need to list the next emails, you can use the Skip field to skip the first x amount of emails.
The Search Query field allows to use the powerful search format supported by the MsGraph API to find what you need. You can either just use it to search for a specific keyword across the complete email, or you can use the Keyword Query Language (KQL) to perform more specific searches. Some basic examples are built-in directly in GraphSpy, however, you can customize this to your liking. Some examples are provided below:
- Find emails where the world password appears near (within 10 words of) other keywords such as username, login, or account
"(username NEAR(10) password) OR (login NEAR(10) password) OR (account NEAR(10) password)"
- Search for common password reset emails
"subject:password AND (subject:forgot OR subject:forget OR subject:recover OR subject:forget OR subject:change OR subject:reset)"
- Search for emails containing attachments with zip, rar or 7z extensions.
"hasAttachments:true AND (attachment:.zip OR attachment:.rar OR attachment:.7z)"
GraphSpy can read emails in Shared/Delegated Mailboxes that the user has access to. However, sadly, there is no easy way to identify which mailboxes the user has access to with the MS Graph API other than just attempting to access it and see if you get an access denied or not. If you do happen to know the email address of a different mailbox which the user has access to, then you can enter its email address in the relevant field and click Apply to list that user's emails.
Note that the standard Mail.Read and Mail.ReadWrite scopes will not suffice for this. To read emails in shared mailboxes, your MsGraph access token needs to have the Mail.Read.Shared or Mail.ReadWrite.Shared scope. The latter will also allow you to send emails from the shared mailbox.
Currently, there is only 1 FOCI Client ID that gives the Mail.Read.Shared scope, which is the Outlook Mobile client (Client ID: 27922004-5251-4030-b22d-91ecd9a37ea4). Sadly, there is no known FOCI client that actually gives the Mail.ReadWrite.Shared scope, so sending emails from Shared Mailboxes will usually be more of a challenge in most scenarios.
Depending on the role of the user you have access to, they might have access to common shared mailboxes such as info@, sales@, finance@, hr@, marketing@, IT@, helpdesk@, ... You can always give these common prefixes a shot and see if you do happen to have access or not. Sometimes users will also share their complete mailbox with other users (e.g. an executive assistant who has access to the mailbox of one or multiple executive members), so this might also be a valid approach.
There are two ways how you can send emails. You can either craft a completely new email using the New Email button, or you can use the Reply button to reply to an existing email.
When using the Reply functionality, the To and CC email addresses, as well as the Subject field, will be automatically prepopulated with default values to reply to everyone. However, you can still customize both of these values. Additionally, when sending a reply to an email, Microsoft will automatically append the original email after your new email body, as you would be used to when using any email client.
The email body supports any HTML that a regular HTML-formatted email would accept. You can use the built-in editor to format the emails to your liking, and even paste in inline images. If you want to see the raw HTML which will make up the email body, you can use the code icon button (right before the question mark) in the editor function ribbon.
Attachments can be uploaded too. Multiple attachments can be selected at once, although do take into consideration that most organizations will set a maximum email size of about 20-50 MB. (This is the total email size, which takes both text, inline images, and inline attachments into account. So take this into consideration when using large images and attachments in your email.)
After clicking the Send button, a notification will pop up after a couple of seconds stating whether the email was sent successfully or not. By default, the email creation window will not close and will keep your content in case you want to send the email to other recipients in individual emails.
As an additional verification that your email actually got sent, you can check the Sent Items folder of the user. If you don't want the user to see that you sent emails, you might also want to delete these from the sent items folder at this point.