O365 Plugin - Not getting emails from a user

I’m starting a new workflow to automate responses based on emails we get from MDR. I created a service account to receive the same emails my team does and I’m using the Office Plugin to first read the mailbox. Here’s what I have in my Input:

Mailbox ID:
full email address of the service account

Folder Name:


Subject Query:
Text that matches what I’m trying to automate the response for

When I try to test it, I put the email address in Account and ID (not sure what the difference is here) and the subject from above, the output doesn’t give me anything. Shouldn’t it give me a list of emails in the inbox?

Shouldn’t it give me a list of emails in the inbox?

Are you using the “Email Received” or “Email Added To Folder” triggers or the “Get Email From User” action?

I’m using Email Received

That’s a trigger.

It’ll only return data when a new email comes in that meets your query parameters.

It will also return emails one at a time so you can automate your response to each email.

During the test, I have the Is Read option set to false, so shouldn’t it return any unread emails?

I’m not sure what the Read option is. Are you sure you’re using the Office 365 Email plugin?

This one right?

Screenshot 2021-07-20 074501

Yes, that’s the one. Just trying to ensure everything is working with it’s connection to O365, even though the connector is good. So if I put the email address in either ID or Account and Is Read is set to false, shouldn’t it return any unread emails?

Are you using the latest version of the plugin?

I found is_read in the output:

Yes, I’m on the current version. So when you ran your test, did that email box have an email in it? I don’t know if what I’m testing for will actually work. I’m expecting it to kick out a list of emails that are unread.

I’m just really confused by “Is Read” as an input, I’m not sure where that’s coming from.

But let me back up, the plugin doesn’t work like that. It will only return new emails that are received after you start the WF. What the plugin does is scan the folder, it finds the most recent email, and uses that date/time as a special value. Any emails that come in after that date/time are returned to the workflow as a trigger (and the special value is updated to that most recent email’s time).

If it gets a bunch of emails at once, it will return them one by one so you can automate each response. That’s how all our triggers work more or less.

The trigger gets some sort of signal (a new piece of information, an alert, an email, a message, etc…) and gives that info to ICON to automate actions against it. ICON will run a WF per trigger it receives.

Ah, ok I didn’t understand that. Thanks for the info!

1 Like

I am interested in what types of MDR emails you are looking to automate responses with. And relatedly what responses are you looking to cause? Suspect user accounts, quarantine machines, block email senders/URLs, those types of things?

Currently Ingress Auth emails. We get a lot of these daily.