// DOC: SOLUTION_BRIEF
REV 1.0 · 2025

IntegrityLayer
Solution Brief

Close the Identity Gap in Microsoft 365 and Google Workspace. Intent-Based Step-Up MFA for high-risk outbound transactions — no MX or DNS changes required.

Target: MSP Directors · vCISOs · Compliance Officers | Sectors: Financial · Legal · Healthcare
This document is formatted for printing. Bring it to your next client meeting.
01 / EXECUTIVE SUMMARY

Business Email Compromise (BEC) cost organizations $47 billion in 2024. The attack vector isn't spam — it's valid, authenticated sessions from compromised accounts. Every passive AI email filter in market (Microsoft Defender, Abnormal Security, Proofpoint) shares the same architectural flaw: they analyze and alert, but cannot stop a transaction originating from a confirmed session.

IntegrityLayer closes this gap by implementing a physical verification gate on every high-risk outbound email. When a wire transfer, payroll change, or sensitive document request is detected, the mail is quarantined and the sender must verify intent using their physical device — before the message is delivered. An attacker without the device is permanently blocked.

02 / THE PROBLEM: SESSION HIJACKING WINS
01
OAuth Token Theft
Attackers steal OAuth refresh tokens via phishing or adversary-in-the-middle proxies. The token grants API access to the mailbox — indistinguishable from the legitimate user. SPF, DKIM, and DMARC all pass.
02
Valid Session = Trusted Sender
Every AI filter evaluates behavioral baselines. A compromised CEO session IS the baseline. Mail scoring shows 0.12 risk (clean). The email is delivered.
03
No Physical Gate
Alerts route to admins, not to the transaction itself. The average admin response time to a BEC alert is 4+ hours. By then, the wire has processed.
03 / THE SOLUTION: SNATCH & RELEASE

IntegrityLayer operates at the account API layer, not the mail transport layer. This means no MX record changes, no DNS modifications, and no browser extensions. Coverage is protocol-level — the CEO can be on an iPhone, Android, desktop, or web client.

01 / DETECT
AI Intent Classification
Graph Webhooks / Gmail Pub/Sub streams all internal outbound mail to a Cloudflare Worker. GPT-4o-mini classifies intent in under 200ms.
02 / HOLD
Instant Quarantine
High-risk mail is moved to a hidden quarantine folder via API before the recipient's inbox receives it. The sender is notified that MFA is required.
03 / VERIFY
Physical MFA Gate
Sender receives a TOTP challenge on their physical device. On success, the original message is released to the inbox — unmodified.
# admin/config.yml — Sample risk policy
risk_threshold: 0.75# 0–1 scale, configurable per client
intent_classes: [WIRE_TRANSFER, PAYROLL_CHANGE, ROUTING_NUMBER, EXECUTIVE_REQUEST]
mfa_type: totp# TOTP via authenticator app
fail_mode: open# fail-open: mail delivers if worker unreachable
04 / TECHNICAL ARCHITECTURE
Deployment Requirements
Azure Enterprise App (Graph API) — or —
Google Workspace Marketplace App
No MX record changes
No DNS modifications
No client-side software or browser extensions
30-second admin setup via Azure Entra / GWS Admin Console
Infrastructure
Cloudflare Workers (edge compute, <500ms latency)
Cloudflare D1 (audit log storage)
Cloudflare R2 (quarantine metadata)
OpenAI GPT-4o-mini (intent classification)
Microsoft Graph API v1.0
Google Gmail API + Pub/Sub
Reliability & Fail-Safe Specifications
99.99%
Cloudflare SLA
worker uptime
<500ms
Intercept latency
end-to-end
OPEN
Fail mode
mail flows on outage
500ms
Latency budget
configurable
05 / COMPLIANCE MAPPING

IntegrityLayer is designed to support the following compliance frameworks. Consult your compliance officer for specific applicability to your environment.

Framework
Controls Addressed
Applicability
SOC 2 Type II
CC6.1, CC6.6, CC6.8 (Logical Access, Boundary Protection)
Financial, Legal, SaaS
CMMC Level 2
IA.3.083 (Multi-Factor Authentication for CUI access)
Defense Contractors
HIPAA Security Rule
§164.312(d) — Person Authentication
Healthcare MSPs
NIST SP 800-53
IA-2, IA-4, IA-5 (Identification and Authentication)
Federal, Enterprise
FINRA / SEC
Email communication archival + audit trail support
Financial Advisors, RIAs
GDPR Article 32
Technical measures for data integrity in communications
EU Operations

Note: IntegrityLayer is currently in Design Partner Beta. SOC 2 audit is planned for Q4 2025. AES-256 encryption is implemented at rest and in transit.

06 / PLATFORM COVERAGE
Platform / Client
Coverage
Notes
iOS Outlook
✓ Full
API-layer — no extension required
Android Gmail
✓ Full
API-layer — no extension required
Desktop Outlook (Win/Mac)
✓ Full
Graph API intercept
OWA / Outlook Web
✓ Full
Graph API intercept
Gmail.com (Web)
✓ Full
Gmail API intercept
Apple Mail (IMAP)
Partial
IMAP clients not intercepted; Graph covers send-as
Design Partner Beta — 3 of 5 slots remaining

Ready to Close the Gap?

Apply for the IntegrityLayer Design Partner Beta. Financial and Legal MSPs prioritized. Includes permanent NFR license, weekly engineering calls, and preferred partner pricing at launch.

Apply for Partner Beta partners@integritylayer.io