Go back

The Inbox is a Master Key. Material Secures It Like One

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

Product
July 16, 2026
7m read
7m read
7m listen
7m watch
7m watch
The Inbox is a Master Key. Material Secures It Like OneThe Inbox is a Master Key. Material Secures It Like One
speakers
speakers
speakers
authors
Material Security Team
participants
No items found.
share

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

Your mailbox is an identity provider. Nobody designed it that way, but that's what it’s become.

Think about what actually lives in a corporate inbox: password resets, magic sign-in links, signup confirmations, verification codes. Every one of those is a short-lived credential. Anyone who can read the message can use it, and most of the apps that send them will hand an account to whoever opens the link.

The industry put strong MFA on the front door of Google Workspace and Microsoft 365 and decided the identity problem was handled. It wasn't: MFA only guards the login. Once someone is already inside the mailbox, it has nothing left to say.

The gap MFA doesn't cover

Imagine an attacker with a live compromised mailbox session. They might have stolen a session cookie and skipped the login screen, picked up a delegated OAuth grant, or they could be an insider working from a laptop someone left signed in at a coffee shop. However they got there, the login ceremony is behind them.

Now they don't have to break into anything else. They search the inbox for the services the employee uses, request a password reset or a magic link, open the email, and take over the downstream app. That app might have weak MFA, or none, or no link to your IdP at all. Its recovery flow trusts the email address, and the email address is compromised.

One study of 71 MFA-enabled websites found that access to the associated email account was often enough to bypass or disable MFA through weak recovery paths. The mailbox is the master key, and most security programs never account for it.

The Composio breach followed this exact path

In May 2026, Composio disclosed an incident that runs right along this seam. The attacker started with one compromised Gmail OAuth token belonging to a Composio employee, which handed over that employee's inbox.

From there, the inbox did the rest of the work. They intercepted magic sign-in links arriving in the mailbox and used them to authenticate into an internal monitoring tool that trusted email as proof of identity. That foothold carried the rest: malicious tool definitions registered in Composio's execution sandbox, arbitrary code execution, and an auxiliary cache holding customer secrets. Roughly 5,241 API keys and 5,001 GitHub OAuth tokens ended up exposed.

The first two moves are the whole story: mailbox access, then a magic link read straight out of the inbox, and the attacker is standing inside a system that never should have trusted email alone in the first place. Composio's own guidance afterward told teams to turn off magic-link sign-in for internal systems, which tells you exactly where the real weak point was. The magic link was the pivot.

The agent angle makes it sharper. Composio exists to give AI agents OAuth access to apps at scale, and the tool the attacker pivoted into was itself an agentic monitor with broad standing privilege. Every AI tool your employees wire up leans on the same email-mediated logins and holds the same kind of token. The credentials are already sitting in the inbox, and the machinery to chain them is now standard equipment.

What Material does

Material reads the mailbox as an identity surface, not a message stream. When one of those messages lands, a reset, a magic link, a code, a signup confirmation, Material recognizes it and holds it back before it reaches the inbox. The user gets a protected placeholder instead. To retrieve the original, they complete a step-up challenge through the company's identity provider: approve through Okta Verify, authenticate over SAML, and Material releases the real message.

Material protects password resets, magic links, and other account verifications behind a step-up authentication.

It's conditional access, applied to sensitive email actions instead of logins. You already gate risky logins on device posture and identity; Material puts the same kind of check in front of the identity-bearing artifacts sitting in the inbox. An attacker with the mailbox can read your newsletters. They cannot quietly reset your Salesforce password.

This shows up in three places.

Containing lateral movement after a mailbox is compromised. Assume the mailbox is gone: that's the strongest case for this feature. Material keeps it from becoming a launchpad. It intercepts the reset email, stands a fresh identity challenge in front of it, and the stolen session suddenly buys the attacker far less. Same instinct as assuming breach and shrinking the blast radius, aimed at the one asset everyone still leaves exposed.

Extending MFA to apps outside SSO. Your Okta or Entra policies cover the sanctioned apps. They don't cover the long tail of services employees sign up for on their own. Material finds those apps by reading their account emails, shows you which ones lack SSO, and can require step-up around resets and other sensitive messages. Material never touches the third-party app itself. It adds a stronger check to the email path that app leans on for recovery, which is where the weakness sat all along.

Blocking signups for unsanctioned apps. The same mechanism runs in reverse. When an employee signs up for something you haven't approved, Material catches the confirmation email, applies policy, and blocks it. The employee gets your guidance instead of a working account. This matters most for AI tools, where anyone can spin up an account with a corporate address in under a minute, with no procurement step and no OAuth footprint. If the only trace of that signup is an email, an email-native control is the one thing positioned to catch it.

Discovery is part of the feature

Most shadow-IT tools see network traffic, endpoint activity, expense reports, or OAuth grants. Material sees something they don't: the account emails generated every time an employee creates or maintains a service.

Material sees which services are in use by reading their confirmations, resets, and security alerts. It can then tell who has accounts on them, which ones skip SSO, and where OAuth scopes have grown too broad, then act: allow, step up, warn, or block. The email-only signups that never reach your IdP surface here first.

What customers do with it

MyFitnessPal uses Material on both sides of this: protecting sensitive emails behind a step-up challenge and blocking unsanctioned apps by intercepting their account emails. Their security team has framed it as a smart way to turn email patterns into an app-usage control.

“The reason we started looking at Material was primarily because we were trying to find a solution that was attacking more aspects of the threat area with the productivity suite than just purely threat-based phishing.” - Allen Cox, Sr Director, IT & Security, MyFitnessPal

SavvyMoney points to MFA enforcement and automatic blocking of unsanctioned apps as a headline outcome, alongside step-up protection for their sensitive financial data.

“It’s even better that any financial data is secured behind an effective barrier that is unique to Material because of the step up auth to access anything sensitive. I love that.” - Giovanni Sanchez, Systems Engineer, SavvyMoney

The idea underneath it

The inbox holds identity-bearing artifacts. A magic link or a password-reset token is a live credential with a short fuse. The industry's habit has been to secure the app that issued the credential and ignore the copy sitting in the mailbox. Material flips that and secures the credential where it actually lives.

Thousands of business applications still handle signup and account recovery through email, and that isn't changing anytime soon. AI agents are about to lean on those flows harder than any human ever did. If the mailbox is the master key, someone needs to be watching the lock: that's what Material was built to do.

Frequently Asked Questions

Find answers to common questions and get the details you need.

No items found.

Related posts

Our blog is your destination for expert insights, practical tips, and the latest news in technology. Stay informed with our regular updates and in-depth articles. Join the conversation and enhance your understanding of the tech landscape.

blog post

The Inbox is a Master Key. Material Secures It Like One

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

Material Security Team
7
m read
Read post
Podcast

The Inbox is a Master Key. Material Secures It Like One

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

7
m listen
Listen to episode
Video

The Inbox is a Master Key. Material Secures It Like One

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

7
m watch
Watch video
Downloads

The Inbox is a Master Key. Material Secures It Like One

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

7
m listen
Watch video
Webinar

The Inbox is a Master Key. Material Secures It Like One

Material Security protects the identity layer inside your email by applying conditional access to sensitive credentials like magic links and password resets, preventing attackers from using the mailbox as a master key to downstream applications.

7
m listen
Listen episode
blog post

What Is an Email Bomb? How Inbox Flooding Attacks Work and How to Stop Them

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

Nate Abbott
5
m read
Read post
Podcast

What Is an Email Bomb? How Inbox Flooding Attacks Work and How to Stop Them

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m listen
Listen to episode
Video

What Is an Email Bomb? How Inbox Flooding Attacks Work and How to Stop Them

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m watch
Watch video
Downloads

What Is an Email Bomb? How Inbox Flooding Attacks Work and How to Stop Them

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m listen
Watch video
Webinar

What Is an Email Bomb? How Inbox Flooding Attacks Work and How to Stop Them

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m listen
Listen episode
blog post

Consent Is the New Vulnerability

OAuth consent has emerged as a critical security vulnerability that bypasses traditional authentication like MFA and passwords, granting attackers persistent, automated access that survives even password resets and account offboarding.

Kate Hutchinson
5
m read
Read post
Podcast

Consent Is the New Vulnerability

OAuth consent has emerged as a critical security vulnerability that bypasses traditional authentication like MFA and passwords, granting attackers persistent, automated access that survives even password resets and account offboarding.

5
m listen
Listen to episode
Video

Consent Is the New Vulnerability

OAuth consent has emerged as a critical security vulnerability that bypasses traditional authentication like MFA and passwords, granting attackers persistent, automated access that survives even password resets and account offboarding.

5
m watch
Watch video
Downloads

Consent Is the New Vulnerability

OAuth consent has emerged as a critical security vulnerability that bypasses traditional authentication like MFA and passwords, granting attackers persistent, automated access that survives even password resets and account offboarding.

5
m listen
Watch video
Webinar

Consent Is the New Vulnerability

OAuth consent has emerged as a critical security vulnerability that bypasses traditional authentication like MFA and passwords, granting attackers persistent, automated access that survives even password resets and account offboarding.

5
m listen
Listen episode
blog post

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

James Juran
5
m read
Read post
Podcast

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m listen
Listen to episode
Video

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m watch
Watch video
Downloads

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m listen
Watch video
Webinar

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m listen
Listen episode
Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

New