What is the core idea behind using a password hash to authenticate to Exchange Web Service (EWS)?

The core idea is to simulate NTLM Over HTTP protocol by directly using the NTLM hash to encrypt the server's Challenge, bypassing the need for a plaintext password. Instead of relying on Mimikatz's over pass the hash (which requires admin privileges), you can implement this programmatically using a tool like Impacket to send the appropriate NTLM authentication messages. The Penetration Techniques - Pass the Hash with Exchange Web Service article explains the step-by-step approach.