Does MailBreach replace my SIEM?

No. MailBreach complements your SIEM by covering the post-login detection gap that SIEMs cannot address. Your SIEM monitors authentication events and log correlation. MailBreach monitors mailbox configurations for hidden forwarding rules and inbox manipulation. You need both for complete visibility.

Can my SIEM detect hidden forwarding rules if I configure the right rules?

In most cases, no. Hidden MAPI-level forwarding rules are created through a protocol that may not generate standard audit log entries. Even when audit logs capture the event, the rule configuration is stored as a binary blob that your SIEM cannot parse. MailBreach connects directly to each mailbox via the Graph API to inspect rules at the configuration level.

How does MailBreach send alerts to my SIEM?

MailBreach supports webhook integration. When a suspicious rule is detected, MailBreach sends a structured JSON payload to your configured webhook endpoint, which can be your SIEM's HTTP event collector, a SOAR platform, or a ticketing system like ServiceNow or Jira.

What SIEMs does MailBreach integrate with?

MailBreach's webhook integration is SIEM-agnostic. It works with Splunk, Microsoft Sentinel, Elastic Security, CrowdStrike LogScale, Sumo Logic, and any other platform that accepts inbound webhooks or HTTP event collectors. You can also use the MailBreach API for custom integrations.

Does MailBreach generate too many alerts?

MailBreach uses a domain allowlist and baseline comparison to minimize false positives. Rules forwarding to domains on your allowlist are not flagged. Only new or modified rules that match one of the 12 detection patterns generate alerts. Most tenants see fewer than 5 actionable findings per scan cycle.

SIEM Comparison

Your SIEM Detects the Login. Who Detects What Happens Next?

SIEMs are built to detect anomalous authentication events. MailBreach is built to detect what attackers do after they log in — the hidden forwarding rules, inbox manipulation, and email exfiltration that SIEMs can't see.

Fill the Gap in Your SIEM

Free 14-day trial. Connect your tenant and see what your SIEM is missing.

What Your SIEM Sees — and What It Doesn't

Your SIEM (Security Information and Event Management) system is the backbone of your security operations. It ingests logs from identity providers, firewalls, endpoints, and cloud services. It correlates events, detects anomalies, and generates alerts. For email-related threats, your SIEM likely monitors Microsoft 365 or Google Workspace audit logs for suspicious login activity: impossible travel, unfamiliar devices, failed MFA attempts, and geographic anomalies.

This is valuable, but it covers only the first phase of an email attack. Once an attacker successfully authenticates — whether through credential phishing, token theft, or MFA fatigue — they move to the persistence phase. They create inbox rules that forward email to external addresses, modify mail flow settings, or configure delegates. These actions generate audit log entries, but they're often buried in millions of routine events and don't match the SIEM's detection rules.

The fundamental issue is that SIEMs are log correlation engines, not email configuration scanners. They can tell you that someone logged in from an unusual location, but they can't tell you that a mailbox now has a hidden MAPI-level forwarding rule that wasn't there yesterday. They don't maintain a baseline of inbox rules per mailbox, they don't parse the binary format of MAPI rules, and they don't cross-reference forwarding destinations against domain allowlists.

SIEMs detect anomalous logins, impossible travel, and failed MFA attempts
SIEMs do not scan individual mailboxes for inbox rule changes
MAPI-level rules are not captured in standard audit log events
Inbox rule creation events are buried in millions of log entries

The Post-Login Gap in Your Security Stack

Most enterprise security stacks have a well-defined chain of defense for email: email gateway (inbound filtering), identity provider (authentication and MFA), SIEM (log correlation and alerting), and EDR (endpoint detection). Each layer addresses a specific attack phase. But there's a critical gap between the SIEM detecting a compromised login and the security team discovering what the attacker did with that access.

In a typical BEC timeline, the attacker logs in (detected by SIEM), creates a forwarding rule (not detected), and begins monitoring the victim's email (not detected). The SIEM alert fires, the security team investigates, resets the password, and closes the ticket. But the forwarding rule persists. Email continues flowing to the attacker for weeks or months because nobody checked the mailbox's rule configuration as part of the incident response process.

This gap exists because mailbox configuration scanning requires different technology than log analysis. You need an agent that connects to each mailbox via the Graph API or Gmail API, enumerates all rules (including hidden MAPI-level rules), compares them against a known baseline, and flags anomalies. SIEMs are not designed to do this — they process log streams, not mailbox states.

How MailBreach Complements Your SIEM

MailBreach is not a replacement for your SIEM — it's the missing layer that fills the post-login detection gap. While your SIEM monitors the authentication plane, MailBreach monitors the configuration plane. Together, they provide complete visibility into email-based attacks from initial compromise through data exfiltration.

The integration is straightforward. MailBreach runs independently of your SIEM, connecting directly to your Microsoft 365 or Google Workspace tenant via OAuth. It scans every mailbox for forwarding rules, inbox rules, mail flow configurations, and delegate permissions. When it detects a suspicious rule, it generates an alert that can be forwarded to your SIEM via webhook integration, creating a unified alert stream for your SOC team.

For organizations that have already invested heavily in their SIEM, MailBreach adds value without requiring changes to your existing log pipeline. You don't need to configure new log sources, write new detection rules, or train your SOC analysts on email-specific forensics. MailBreach handles the specialized work of mailbox scanning and rule classification, and surfaces actionable findings in a format your team can act on immediately.

SIEM monitors the authentication plane; MailBreach monitors the configuration plane
Webhook integration sends MailBreach alerts to your existing SIEM
No changes required to your log pipeline or SIEM configuration
Actionable findings with severity classification and remediation guidance

What MailBreach Detects That Your SIEM Cannot

MailBreach's detection engine is purpose-built for the specific threat of email exfiltration through inbox manipulation. It uses 12 detection patterns that map to known attacker techniques, many of which are invisible to SIEM-based detection because they don't generate distinctive audit log events.

Hidden MAPI-level forwarding rules are the clearest example. These rules are created through a protocol-level API that does not generate the same audit log entries as rules created through Outlook or the Exchange admin center. Your SIEM may not see the creation event at all. Even if it does, it won't be able to inspect the rule's configuration because MAPI rules are stored as binary blobs, not as structured log fields.

Other detection gaps include: transport rule modifications that create exceptions for specific sender domains, cross-tenant forwarding configurations in multi-tenant environments, Gmail API-created filters that don't appear in the user's Settings UI, and delegate mailbox access configured at the admin level. MailBreach inspects all of these configuration surfaces, maintains a baseline for comparison, and alerts on any deviation from the known-good state.

Key Capabilities

Configuration-Plane Monitoring

Scans every mailbox for inbox rules, forwarding settings, and mail flow configurations — the configuration data that SIEMs don't inspect.

Baseline Comparison

Maintains a per-mailbox baseline of known rules and flags any new or modified rules, even if they don't generate distinctive log events.

SIEM Integration via Webhooks

Sends alerts to your SIEM, SOAR, or ticketing system via configurable webhooks. Unified alert stream without modifying your log pipeline.

12 Detection Patterns

Purpose-built patterns for email exfiltration tactics: external forwarding, keyword targeting, MAPI-level rules, cross-tenant forwarding, and more.

Frequently Asked Questions

Ready to secure your email?

Start detecting hidden forwarding rules in minutes. No credit card required.

Fill the Gap in Your SIEM

Related Resources

BEC Detection MailBreach vs Microsoft Defender Email Exfiltration Detection