After a compromised internal account blasts phishing emails, admins must manually use Purview Content Search to find affected mailboxes and then write PowerShell scripts to purge — a slow, error-prone process while employees are actively clicking malicious links.
A lightweight tool that hooks into M365 via Graph API, detects mass-send events from compromised accounts in real-time, automatically identifies all recipients, and provides a single-click purge across all mailboxes — plus sends automated warnings to anyone who already opened the email.
This is a hair-on-fire problem. When an internal account is compromised and phishing emails are actively being clicked, every minute matters. The Reddit post shows genuine panic — 2000 emails across 82+ mailboxes, employees clicking, admin scrambling with PowerShell. This isn't a nice-to-have optimization, it's crisis management. The current manual process (Content Search → wait → review → PowerShell purge → manually warn users) takes 1-4 hours during which damage compounds. The emotional intensity is extreme — admins fear for their jobs during these incidents.
M365 has 400M+ paid seats, but the addressable market narrows significantly. Target is SMBs with 50-500 mailboxes who don't already have enterprise email security (IRONSCALES, Abnormal, etc.). Estimate ~500K M365 tenants in this sweet spot globally. At $149/month, if you capture 1% that's ~$89M ARR — a great outcome for a bootstrapped product. But realistically, this is a niche within email security, not a platform play. TAM is meaningful but not massive. The pay-per-incident model further fragments revenue potential.
This is the critical weakness. $149/month is objectively cheap insurance, but SMB IT admins face a psychological barrier: they're paying monthly for something they might need 2-4 times per year. The Reddit post shows someone dealing with their 'first real email compromise' — it's not a daily occurrence. Many will think 'I'll just deal with it manually when it happens.' The $49/incident model is more aligned with the episodic nature but makes revenue unpredictable. Budget-constrained SMBs will compare $1,788/year to 'free PowerShell scripts I already know.' Willingness to pay surges DURING an incident (they'd pay $500 in that moment) but drops to near-zero between incidents. You'd need to add continuous value (monitoring, reporting, compliance) to justify the subscription.
Graph API supports the core workflow — searching messages (MessageTrace), reading mailbox contents (Mail.Read), deleting messages (Mail.ReadWrite), and sending notifications. A competent solo dev can build a working MVP in 6-8 weeks. However, there are meaningful technical challenges: (1) Graph API rate limits and throttling at scale — purging 2000 messages across 82 mailboxes will hit limits, (2) the app requires Mail.ReadWrite permission on ALL mailboxes — a very high-privilege permission that triggers security reviews, (3) real-time detection of mass-send events requires either polling or using Graph subscriptions/webhooks which have reliability issues, (4) M365 tenant configurations vary wildly and edge cases abound, (5) you need to handle shared mailboxes, distribution lists, and hybrid Exchange scenarios. Buildable, but more complex than it first appears.
A clear gap exists in the SMB market — all current solutions with purge capability cost $1,500-3,000/month for 500 users and require enterprise sales cycles. No one offers a lightweight, purpose-built, self-serve tool for this specific incident response workflow at SMB pricing. However, the gap is narrower than it appears: (1) Microsoft's native Defender + ZAP is improving and is 'good enough' for many, (2) any of the enterprise players could launch an SMB tier tomorrow, (3) the open-source community has PowerShell scripts and toolkits (like Hawk) that partially address this for free. You're competing with 'good enough free' on one side and 'comprehensive but expensive' on the other — a viable but squeezable position.
This is the biggest red flag. The core value proposition — purging phishing emails during an incident — is episodic by nature. Most SMBs face this 2-6 times per year. Months will pass with zero usage, and admins will question the subscription. To build genuine recurring value you'd need to layer on: (1) continuous monitoring and anomaly detection, (2) automated threat response rules, (3) compliance reporting and audit trails, (4) phishing simulation, (5) mailbox hygiene scanning. But each of these pulls you into competition with established platforms. The $49/incident model is more honest but creates feast-or-famine revenue. The subscription works only if you make the 'quiet months' valuable — dashboard showing threats blocked, security posture scoring, automated policy enforcement.
- +Genuine hair-on-fire problem validated by organic community discussion — 126 upvotes with detailed comments describing exact pain points
- +Massive pricing gap between 'free PowerShell' and '$3,000/month enterprise platforms' — $149/month is an underserved price point
- +Clear, focused value proposition that can be explained in one sentence — no feature bloat needed for v1
- +Technical moat is low to build but Graph API complexity creates meaningful switching costs once deployed
- +M365 ecosystem is enormous, homogeneous, and not going anywhere — stable platform to build on
- +Incident response urgency creates strong word-of-mouth — admins who survive a compromise will evangelize the tool that saved them
- !Microsoft platform risk — Defender ZAP and Security Copilot are rapidly improving. Microsoft could ship a 'one-click purge' button in Defender and eliminate the core value prop overnight
- !Episodic usage pattern makes subscription retention extremely difficult — expect high churn after the first incident is resolved unless continuous monitoring value is established
- !Mail.ReadWrite permission on all mailboxes is a massive trust barrier — SMB admins will hesitate to grant a startup full read/write access to every email in their organization. Security review and SOC2 compliance will be expected
- !SMB sales cycle for security tools is longer than expected — even at $149/month, security purchasing often requires vendor assessment, and MSPs (who manage most SMBs) may resist third-party tools
- !Graph API rate limits and reliability issues could cause the tool to fail during the exact high-pressure moments when it needs to work perfectly
Microsoft's native email threat protection with Threat Explorer for manual email search/purge and Zero-hour Auto Purge
AI-powered email security platform with post-delivery remediation. Includes one-click remediation from user-reported phishing, automated clawback across mailboxes, and crowdsourced threat intelligence from their customer base.
Behavioral AI email security that profiles communication patterns to detect anomalies. Includes automated post-delivery remediation and clawback of malicious emails via API integration with M365.
Automated email quarantine and pull-back system that works with Proofpoint's Targeted Attack Protection
Open-core email detection and response platform. Allows admins to write custom detection rules, hunt through email logs, and take remediation actions including bulk message removal across M365 mailboxes.
Web app with M365 OAuth admin consent flow. Three screens: (1) Dashboard showing recent suspicious mass-send events detected via Graph API message trace monitoring, (2) Incident view where admin selects a compromised account/message, sees all recipients and who opened it, and clicks 'Purge All + Notify Recipients' — one button, (3) Audit log of all actions taken. Skip real-time detection for MVP — start with manual trigger where admin pastes a message ID or sender address and the tool finds all instances. This removes the hardest technical problem (real-time detection) while still delivering the core purge-in-one-click value. Build the detection layer in v2 once you have paying customers validating the purge workflow.
Free tier: Manual search of up to 50 mailboxes per incident, 1 incident/month — enough to get admins hooked during their first real compromise. Paid ($149/month): Unlimited mailboxes, unlimited incidents, automated mass-send detection, recipient notifications, audit trail exports. Enterprise ($3/user/month, 500+ seats): SSO, RBAC, API access, custom retention policies, SLA. Pay-per-incident ($49): For the long tail who won't commit monthly — this becomes your top-of-funnel. Adjacent expansion: phishing simulation ($99/month add-on), email security posture assessment, compliance reporting for cyber insurance applications.
8-12 weeks to first dollar. Weeks 1-6: Build MVP with OAuth flow, message search, bulk purge, and basic notification. Weeks 6-8: Beta with 5-10 sysadmins recruited from Reddit r/sysadmin and r/msp — they will find bugs and validate the workflow. Weeks 8-10: Polish based on feedback, add Stripe billing, launch landing page. Weeks 10-12: Post launch on r/sysadmin, Product Hunt, MSP forums. First paying customers likely from the beta cohort. Revenue will be lumpy — expect $500-2,000 MRR in month 1, scaling to $5-10K MRR by month 6 if product-market fit is real. The pay-per-incident model will likely generate first revenue faster than subscriptions.
- “about 2000 emails sent in total”
- “a lot of people didn't think twice”
- “Found 164 malicious messages sitting in 82 mailboxes”
- “Used powershell to mass purge the emails”