Skip to content

Search the site

Mimecast certs compromised by "sophisticated threat actor"

Mimecast certificates used to authenticate its products to Microsoft 365 Exchange Web Services exploited.

Email resilience company Mimecast, which processes over 1 billion emails daily for 36,000+ customers, said today that a certificate it issues to customers to authenticate its products to Microsoft 365 Exchange Web Services "has been compromised by a sophisticated threat actor."

In an update today strikingly short on detail (compared for example to FireEye's comprehensive write-up after it reported a compromise on December 8, 2020), Mimecast said that "approximately 10 percent of our customers use this connection". It did not specify how many of them were potentially using the exposed/compromised certificate in question. ~10% of Mimecast's customers is over 3,600 companies.

The company was alerted to the breach by Microsoft, it said. The certificate in question was used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products.

Mimecast certificates compromised

Mimecast, which  integrates with Microsoft Exchange, Office 365 and Google Apps to provide email security, archiving and continuity services in the event of primary email service outages, said: "There are indications that a low single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to remediate the issue."

Mimecast added: "As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning.

"The security of our customers is always our top priority. We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate."

The incident comes 15 months after Mimecast's CEO made a video apology for sustained outages that he blamed on "the way certain network traffic conditions interact with our firewalls. Mimecast runs its services via networks in twelve of its own/co-located data centers in six locations around the world. It runs on a proprietary operating system, Mime OS, which comprises 20+ microservices that control the hardware, and the storage, indexing, processing, services, administrator and user interface layers of the company’s cloud environment.

See also: Intel rolls out CPU telemetry tooling in bid to fight ransomware at hardware level