Case Study

MailBreach — Business Email Compromise Detection SaaS

A production cybersecurity platform that continuously scans Microsoft 365 and Google Workspace tenants for hidden email forwarding rules, AI-classifies threats against MITRE ATT&CK patterns, and auto-remediates findings with full audit trails.

Complexity Score
9.2/ 10

Bespoke Software — Complex Platform tier

Role
Founder & Sole Engineer
Stack
Next.js · FastAPI · Python · PydanticAI · Convex · Clerk
Status
Live — mailbreach.com
Complexity
9.2 / 10
The Problem

The attack your SIEM doesn't catch

Business email compromise (BEC) is the costliest cybercrime category in the US — $2.9 billion in losses in 2023 alone. The attack vector most security tools miss entirely: after gaining initial access, attackers create hidden inbox rules that silently forward sensitive emails — invoices, wire transfer requests, password resets — to external addresses. The rule runs indefinitely. No alerts fire. The user never sees the forwarded emails. IT has no visibility.

Average Dwell Time
197days before discovery

MailBreach was built to close that gap. It detects MITRE ATT&CK T1114.003 (Email Forwarding Rule) — one of the most common post-compromise persistence techniques — across every mailbox in a tenant, automatically.

Architecture

What was actually built

MailBreach is not a simple integration. It is a production-grade, multi-tenant SaaS platform with dual cloud provider integrations, an AI classification engine, an automated remediation system, and a compliance reporting layer. Every component was designed, built, and shipped with purpose by Crestwork Studio.

Complexity Score
9.2/ 10
Classification
Bespoke Software — Complex Platform tier

Ten major architecture components. Three rated Maximum complexity. One codebase, one engineer, one production deployment.

Multi-tenant SaaS + strict data isolation
Maximum
Each client tenant is a fully isolated data environment. One misconfiguration means cross-tenant exposure — the hardest class of bug in SaaS architecture.
Microsoft 365 integration
Maximum
OAuth 2.0 admin consent via Microsoft Graph API. Scans inbox rules, filters, auto-forwarding settings, forwarding addresses, and rule timestamps across every user in the directory.
Google Workspace integration
Maximum
Service Account with Domain-Wide Delegation via Gmail API + Directory API. Separate auth model, separate scanning logic, full parity with M365 coverage.
Automated remediation engine
Maximum
Three modes: read-only (audit only), approve-to-apply (admin reviews findings and one-click approves), full auto-remediate (Severity 1 threats fixed automatically with guardrails). Before-snapshots taken for every change — full rollback available.
AI classification engine
High
12 detection patterns mapped to MITRE ATT&CK T1114.003. Each finding is assigned a Pattern ID (P1–P12), severity (1 = Critical, 2 = Suspicious, 3 = Monitor), confidence score (0.0–1.0), and recommended action.
Continuous background scanning
High
Daily re-scans across all tenants and mailboxes. Drift detection flags new rules created since last scan, previously remediated rules that reappeared, and tenant policies that were loosened.
MSP multi-tenant dashboard
High
Aggregated cross-tenant views, per-client drill-down, risk scoring, and technician workflow — a second full application layer on top of the core platform.
Audit trail + compliance reporting
Medium
Every action logged with actor, timestamp, before-state, and evidence. Automated client-facing reports for SOC 2, ISO 27001, HIPAA, and cyber insurance documentation. Downloadable JSON audit logs.
Webhook infrastructure + Slack integration
Medium
Configurable endpoints per tenant, event-driven delivery with retry logic, Slack alert routing for real-time security notifications.
Tiered subscription billing
Medium
Stripe integration with plan enforcement at the feature level — auto-remediation gated by plan, user count caps enforced, trial flows, upgrade prompts.
Detection

12 threat patterns. Three severity levels.

Every mailbox rule is analyzed against 12 known-bad patterns, each mapped to MITRE ATT&CK T1114.003. Findings are classified by severity and confidence score, then queued for remediation based on the tenant's configured mode.

Severity 1

Critical

auto-remediate eligible
P1

External Forward (Non-Allowlisted)

Forwarding to an external address not on the approved list

P2

Forward + Delete

Forward externally and delete the original, hiding evidence

P3

Forward + Mark Read + Hide

Forward, mark as read, move to Junk or Archive so the user never sees it

P4

Recently Created Rule

Rule created in the last 72 hours, a post-compromise timing indicator

P5

New Unknown Destination

Forwarding to a newly-added external address

Severity 2

Suspicious

requires approval
P6

Allowlisted External Forward

Forwarding to an approved domain that may still need review

P7

Sensitive Keyword Targeting

Rules targeting "invoice," "wire," "ACH," or "password reset"

P8

Auto-Delete Important Senders

Deleting emails from executives or security systems

P9

Catch-All Forward

Broad rule forwarding all or most mail externally

Severity 3

Monitor

weak signals
P10

Excessive Rule Count

User has an abnormally high number of rules or filters

P11

High Rule Churn

Frequent rule changes in a short period

P12

Tenant Posture Drift

External forwarding policy was loosened at the tenant level

Guardrails

Non-negotiable safety constraints

Every remediation action operates under strict guardrails designed to protect data integrity and support compliance requirements.

No email content access — only configuration metadata is ever read, never email content

Before-snapshots on every change — one-click rollback available for any remediation

Verification step after every fix — MailBreach re-reads the config to confirm the change applied

Allowlist enforcement — approved forwarding destinations are never flagged

Full audit logging — every action recorded with actor, timestamp, before-state, and context

Tenant isolation — complete data separation between all customers

Compliance-ready — audit trail supports SOC 2, ISO 27001, HIPAA, and cyber insurance documentation

Stack

Built with

Frontend
React + TypeScript
Backend
FastAPI + Python
Database
Convex (serverless, real-time)
AI Agents
PydanticAI
Auth
Clerk (multi-tenant, SSO-ready)
Email APIs
Microsoft Graph · Gmail API · Directory API
Billing
Stripe
Hosting
Railway
Product

Three tiers. 15-minute setup.

Starter
$99/month
  • Up to 50 users
  • M365 or Google Workspace
  • Approve-to-apply remediation
  • Weekly evidence reports
  • Email support
Most Popular
Pro
$299/month
  • Up to 500 users
  • Both M365 and Google Workspace
  • Auto-remediation (Severity 1)
  • Daily drift control
  • Webhooks and integrations
  • Priority support
Plus
$599/month
  • Unlimited users
  • Both providers
  • Full auto-remediation
  • Multi-admin workflows
  • Advanced allowlists
  • Dedicated support
  • Custom SLA

MailBreach was built by Crestwork Studio as a live proof of our bespoke software capability. If you need a platform of comparable complexity built for your business — multi-tenant architecture, dual API integrations, AI classification, automated workflows — this is what we build.

Interested in what we can build for you?

MailBreach represents the top of our bespoke software category — a 9.2/10 complexity platform built to production with purpose by Crestwork Studio. If you have a complex software problem, we'd like to hear about it.

Book a strategy call View live product at mailbreach.com