Microsoft Defender for Office frequently quarantines legitimate emails from well-known services like DocuSign, creating hours of manual work for sysadmins who must review and release 30+ emails at a time.
A middleware/plugin that sits between email security tools and the inbox, maintaining a continuously updated database of verified sender domains, link patterns, and signing certificates from legitimate SaaS services. It auto-releases false positives and learns from admin actions.
subscription
The pain is real and visceral — the Reddit thread shows genuine frustration. Sysadmins losing Friday afternoons to release 30+ legit DocuSign emails is a recurring, annoying problem. However, it's an annoyance, not a business-critical emergency. Emails get delayed, not lost. Most admins tolerate it with grumbling rather than seeking paid solutions. Pain is frequent but low-severity per incident.
Narrow. Target is mid-size companies (100-2000 employees) using M365 with Defender, where the IT admin is frustrated enough to buy a tool. Estimated ~200K-500K such orgs globally. At $200-500/month average, TAM is roughly $500M-$2.5B. But realistic SAM is much smaller — many will tolerate the pain, use free workarounds, or be locked into enterprise security suites that partially address this. Realistic early market is maybe $50-100M.
This is the biggest risk. Sysadmins complain loudly but historically resist paying for 'convenience' tools — they'll build Power Automate flows or PowerShell scripts first. The buyer (IT manager/director) needs to justify spend on something that 'just whitelists emails.' Hard to get budget approval when the workaround is 'click release 30 times.' Competing against free native tools and DIY scripts. Would need to demonstrate time savings in dollars (e.g., '2 hours/week × $75/hr = $600/month saved') to justify even a $200/month subscription.
Microsoft Graph API provides quarantine management endpoints. Building a curated sender database for top SaaS services (DocuSign, Adobe, Salesforce, etc.) is feasible. Auto-release logic based on sender verification (DKIM/SPF/DMARC checks + known domain matching) is well-understood. However: M365 quarantine APIs have rate limits and permission complexities, the middleware needs to be very careful not to release actual threats (liability nightmare), and maintaining the sender database across thousands of SaaS services is ongoing work. A solo dev could build a basic MVP in 6-8 weeks, but making it production-safe for security-sensitive environments is harder.
Clear gap exists. No one sells a purpose-built 'false positive shield' for M365 Defender. Existing tools are full email security suites at $3-8/user/month that treat FP management as a secondary feature. The gap is a lightweight, affordable, single-purpose tool that just makes Defender's quarantine smarter. Risk: this gap might exist because it's not a viable standalone product — it might be a feature, not a company.
Strong natural recurring model. The curated sender database needs continuous updates as new SaaS services emerge and existing ones change infrastructure. Microsoft regularly updates Defender's filtering which creates new FP patterns. Admins need ongoing protection, not a one-time fix. Per-seat monthly pricing aligns with M365 billing patterns admins are used to.
- +Validated pain point with clear emotional signal from practitioners — this is a real, recurring frustration that sysadmins bond over
- +No direct competitor in the specific niche — everyone else sells a $4-8/user security suite when admins just want their DocuSign emails to stop getting quarantined
- +Natural recurring revenue model tied to continuously evolving threat landscape and SaaS ecosystem
- +Technical feasibility is solid — Microsoft Graph APIs exist, sender verification is well-understood, MVP scope is achievable
- +Low switching cost for customers — additive tool that works alongside Defender, not a replacement
- !Feature-not-a-product risk: Microsoft could add a 'trusted SaaS senders' list to Defender tomorrow and kill the entire value prop overnight
- !Willingness-to-pay is weak — sysadmins are vocal about pain but notoriously resistant to paying for tools when PowerShell scripts exist
- !Security liability is enormous — if the tool auto-releases a phishing email disguised as DocuSign, the customer's trust (and possibly their network) is destroyed. One incident could kill the product
- !Selling to IT admins at mid-size companies is a slow, high-trust sales cycle — they need to involve security teams and get approval to give a third-party tool quarantine release permissions
- !The sender database moat is shallow — a competitor or open-source project could replicate the core list quickly
Self-learning email security platform with AI + crowdsourced human intelligence. Includes dedicated incident management workflows for reviewing and releasing false positives, plus phishing simulation training.
API-based behavioral AI email security that builds communication profiles for every user and vendor, detecting anomalies. Claims very low false positive rates by understanding normal patterns.
Inline API-based email security that sits after Microsoft 365's native filters. Catches missed threats and provides a unified quarantine management dashboard for review and release.
Built-in Defender quarantine management, Tenant Allow/Block List for manual whitelisting, and custom Power Automate flows for automating quarantine review/release workflows via Graph API.
Open detection-as-code email security platform where admins write custom detection rules using a DSL. Offers granular control over what gets flagged vs. allowed.
A Power Platform app or lightweight SaaS that connects to M365 via Graph API, ships with a curated allowlist of the top 200 most-quarantined legitimate SaaS senders (DocuSign, Adobe Sign, Salesforce, HubSpot, etc.), and provides a dashboard showing quarantined emails matched against the allowlist with one-click bulk release. Start with semi-automated (flag + recommend release) rather than fully automated to reduce liability. Include an 'admin action learning' feature that tracks which quarantined senders admins consistently release and suggests new allowlist entries.
Free tier: connect M365, get visibility into quarantine FP patterns + curated top-50 sender list with manual release → Paid ($2-3/user/month or flat $149-299/month for <500 users): auto-release for verified senders, full 500+ sender database, admin action learning, weekly FP report → Enterprise ($499+/month): custom sender verification, SLA, audit logging, multi-tenant management, API access
3-4 months. Month 1-2: build MVP with Graph API integration + curated sender database for top 100 services. Month 2-3: beta with 5-10 sysadmins from Reddit/Spiceworks communities (free). Month 3-4: convert beta users to paid or acquire first paying customers through sysadmin communities. Revenue will be slow initially — expect $500-2K MRR by month 6 if execution is strong.
- “quarantined 30+ DocuSign emails over the past 2 days”
- “I don't like working to undo Microsoft misclassification on a Friday afternoon”
- “how little tooling there is to address the false positives besides begging MS support to tune their models”
- “It's that time again, eh? It's just a pattern at this point”