Mimecast Cert Abused to Target Inboxes in “Sophisticated” Attack

Written by

Mimecast has disclosed that some of its customers have been targeted by an advanced attack designed to compromise their Microsoft 365 (M365) environments.

The security vendor said in a brief statement yesterday that a “sophisticated threat actor” obtained one of its certificates used to authenticate Mimecast Sync and Recover, Continuity Monitor and IEP products to Microsoft 365 Exchange Web Services.

Although 10% of customers use this certificate, the attacker only targeted a “low single-digit number” of customer M365 tenants. These organizations have already been contacted by Mimecast to remediate the problem.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” the statement continued.

“Taking this action does not impact inbound or outbound mail flow or associated security scanning.”

There’s no news yet on who might be responsible for this sophisticated attack and/or whether nation state actors were involved. SolarWinds revealed in a filing with the SEC last month that it had been notified by Microsoft of a compromise of its Office 365 emails via an unspecified “attack vector.”

“SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system,” it explained at the time.

“SolarWinds also is investigating in collaboration with Microsoft as to whether any customer, personnel or other data was exfiltrated as a result of this compromise but has uncovered no evidence at this time of any such exfiltration.”

In the meantime, Mimecast said it has hired a third-party forensics firm to help with its investigation, and is working closely with Microsoft and law enforcement.

What’s hot on Infosecurity Magazine?