IBM Security SOAR

Expand all | Collapse all

Exchange Online Integration - Moving Emails

  • 1.  Exchange Online Integration - Moving Emails

    Posted Tue September 14, 2021 08:50 AM

    The move email functionality of the Exchange Online app allows to move emails in a specific mailbox to a specified "Well-known" folder (e.g. junk folder, deleted items).

    For our phishing mailbox we would like to be able to move the emails to a custom subfolder (e.g. True Positive or False Positive).
    We tried to put the ID of a subfolder as the value of the "exo_destination_mailfolder_id" field. Unfortunately, that failed.

    Does anyone have an idea how to extend this functionality to be able to also move emails to custom subfolders?



    Stef Bisschop

  • 2.  RE: Exchange Online Integration - Moving Emails

    Posted Wed September 15, 2021 02:49 PM
    Hi Stef,

    Moving a message to a custom named (not Well-known) subfolder is not currently supported.  You can submit a RFE and will will consider it for a future release.

    The move-to folder was limited to the well-known folders to make the integration UI simpler by allowing the using to select from a list in the rule activity field.

    On inspecting the code that makes the MS Graph API call to move the message to a folder (from the IBM public github):

        def move_message(self, email_address, mail_folder, message_id, dest_folder):
            Call MS Graph to move message.
            :param email_address: email address of the user's mailbox from which to delete the message
            :param message_id: message id of the message to be deleted
            :param mail_folder: mailFolder id of the folder containing the message to be deleted
            :return: requests response from the /users/ endpoint which is the list of all users.
            mail_folder_string = self.build_folder_string(mail_folder)
            ms_graph_users_url = u'{0}/users/{1}{2}/messages/{3}/move'.format(self.ms_graph_url, email_address,
                                                                              mail_folder_string, message_id)
            response =,
                                                  headers={'Content-Type': 'application/json'},
                                                  json={'destinationId': dest_folder['name']})
            return response​
    dest_folder['name'] in the above code is the name of the folder to move the message to.  In the current integration exo_destination_mailfolder_id is a choice of a "select" field filled with the well-known folder names.

    The documentation for the MS Graph API call used move a message to a folder is here.

    destinationId String The destination folder ID, or a well-known folder name. For a list of supported well-known folder names, see mailFolder resource type.
    Instead of providing a well-known folder name you may have to get the destination folder ID by listing the folders for the user
    and getting the "id" of the custom folder and passing it in the
    json={'destinationId': id}​

    Hope that helps!


    AnnMarie Norcross