Skip to main content

Get Original Email - EWS

This Playbook is part of the Phishing Pack.#

This playbook retrieves the original email in a thread, including headers and attachments, when the reporting user forwarded the original email not as an attachment. Note: You must have the necessary eDiscovery permissions in the EWS integration to execute a global search.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • EWS v2


  • DeleteContext
  • Set


  • ews-search-mailbox
  • ews-get-items
  • ews-get-attachment

Playbook Inputs#

NameDescriptionDefault ValueRequired
MailboxEmail address of the reporting user.incident.labels.Email/fromOptional
InReplyToThe InReplyTo header in the forwarded email.incident.labels.Email/Header/In-Reply-ToOptional
ThreadTopicThe ThreadTopic header in the forwarded email.incident.labels.Email/Header/Thread-TopicOptional

Playbook Outputs#

EmailThe email objectunknown
Email.ToThe email recipient.string
Email.FromThe email sender.string
Email.HTMLThe email HTML.string
Email.BodyThe email text body.string
Email.HeadersThe email headers.unknown
Email.SubjectThe email subject.string
FileThe original attachments.unknown
Email.HeadersMapThe email headers map.unknown

Playbook Image#

Get Original Email - EWS