Exchange Web Services
EWS is a protocol that allows third-party applications (registered apps) to access exchange online accounts on behalf of your users.
This is a common requirement, and it allows an app to assist a user with, for example, email and calendar management.
The Risk
While common and, in many cases, extremely useful to the business, third-party apps can be a security blindspot. Microsoft does not guarantee the security of third-party apps, and it is often left to the users themselves to judge whether an app is safe.
Third-party apps can also be a mechanism for hackers to gain a persistent back door in a mailbox. This can happen after an account is initially breached. The attacker authorizes an app that can manage the mailbox noninteractively. Non-interactive management is less obvious and will not trigger the same level of alerting from that point onwards.
An attacker may also use social engineering to get a user to authorize a malicious third-party app.