Mimecast Certificate for Microsoft 365 Hacked

A threat actor has compromised a certificated issued to Mimecast causing issues with one of the company’s customers Microsoft 365, reported Threatpost. The company specializes in email security services through its servers.

Experts say that the issue can open up the systems to cyberattackers, giving them an opportunity to hijack connections that allows the inbound and outbound of emails.

According to Thycotic CISO Terence Jackson, “The certificates that were compromised were used by Mimecast email security products.”

Certificated Issued to Mimecast Hacked

He added, “These products would access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection).”

“Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications,” said Jackson.

Meanwhile, ZDNet clarified that about 10% of Mimecast’s customers were affected by the hack as this portion uses products associated with the said certificate. The company also said that the percentage of affected customers is under 10 and in the lower single-digit range.

Threatpost noted that the company has 36,000 customers, which means that around 3,600

Mimecast has already notified all those involved. It also advised them to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate [they] have made available.

Threatpost explains that the certificate is “used to verify and authenticate those connections made to Mimecast’s Sync and Recover,” which are “backups for mailbox folder structure, calendar content, and contacts from Exchange On-Premises or Microsoft 365 mailboxes.”

The certificate is also used to confirm connections to Mimecast’s Continuity Monitor and Internet Email protection (IEP).

While threat actors may have access to email servers, they would need to perform additional efforts to acquire personal information.

Cerberus Sentinel vice president of Solutions Architecture Chris Clemens said, “They don’t appear to have identified the exact nature and use case for the certificate compromised by two possibilities are likely.”

Regarding the attack, Mimecast noted that investigations are still underway. No culprit has been identified and the intention is still unknown.

Some reports have found similarities with the recent SolarWinds hack as it is also related to third-party software. A few experts speculate that the threat actors for the Mimecast and SolarWinds hacks are the same.

The email service provider is yet to comment on this speculation. However, it said that it will provide updates after finding out more about the incident.