Business Email Compromise (BEC) attackers do not need access to your inbox to harm you. They modify your mailbox configuration — forwarding rules, inbox rules, app passwords, delegated permissions — and use it as a beachhead. The only way to detect this is to read the configuration.
OAuth, not passwords
We use Microsoft's and Google's standard OAuth consent flow. You log in through their site, not ours. We never see your password. We receive only a scoped access token.
We never read message content
Our scopes request configuration metadata only — not message bodies, not attachments, not contact lists. You can verify the exact scopes Microsoft or Google shows you on the consent screen.
Fully revocable
You can revoke our access at any time, both on our side and on Microsoft/Google's side. See Rescan or revoke access.