hi, here is what comes to my mind;
-there is a heartbleed vulnerable webmail server
-users log in to mail server
-attacker exploits heartbleed and captures webmail login credentials of users
-then we update mail server and retry and fail to exploit.
if this is good for you, i am ready to deliver in promised days. if need be i can even arrange a demo.
(btw i am an ms grad in information security, and i already wrote many reports like this one)