Outlook Web

---

Note: Microsoft seems to have done some changes that fixed the technique used by GraphSpy to open the mailbox of the user in the Outlook Web with an access token. It still works in some scenarios, but more often than not, it will not work anymore. Therefore, I have now added a new Outlook Graph module that can be used with an MsGraph token instead. Feel free to test out the Outlook Web technique, however, if it doesn't work, your best bet will be to use an MsGraph token instead.

---

The Outlook module of GraphSpy is most likely one of the simplest, yet it is one of the most powerful as well.

This is because a simple access token for https://outlook.office365.com/ can be used to open the mailbox of the target user on a new page, providing access to any functionality that you would expect to have in the Outlook Web Mail application.

To use it, simply request an access token for the https://outlook.office365.com/ resource (can be obtained using a FOCI client!), and click on the Set access token button to populate the Access Token field below. Then, click on the Open outlook button to open the mailbox of the user.

If your access token is valid, this will open a browser tab in which you have complete access to the user's mailbox. From here you can interact with emails, view the user's calendar, create email rules, ...

Some things to keep in mind are:

• The access is limited to this specific access token for https://outlook.office365.com/. If you try to open any other office applications from this page (e.g. OneDrive, Microsoft Teams, ...), this will obviously not work!
• This technique only allows you to insert an access token in the browsing session. As a result, once that access token expires, you will be asked to sign in again. If you still have a valid FOCI refresh token, you can easily request a new access token and open the page again.