Email Security Firm Fell For A Microsoft Email Supply-Chain Attack

12/01/2021

Mimecast is a London-based email software company that develops cloud email management software. It has disclosed that hackers had hijacked its products.

Email security provider said it had been alerted to the attack by investigators at Microsoft, saying that hackers had obtained one of its digital certificates used to guard connections between its products and Microsoft’s cloud services, and abused it.

That in order to gain access to some of its clients' Microsoft 365 accounts.

The products that used this certificate include Mimecast Sync and Recover, Continuity Monitor, and IEP products, said the company in an announcement.

Mimecast said that around 10% of its more than 36,000 customers used the affected products with this particular certificate. However, the "sophisticated threat actor" abused the stolen certificate to gain access to only a handful of these customers' Microsoft 365 accounts.

The company believed “a low single digit number” of users had been specifically targeted.

Mimecast API integration.
"As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning."

Mimecast provides a range of email security products, including systems to block malicious web links, phishing attempts and hackers using fake identities in order to trick their victims into revealing sensitive information.

Cybersecurity investigators who spoke on the condition of anonymity to discuss the case, said that the hackers they suspected were the same group who broke into U.S. software maker SolarWinds and a host of sensitive U.S. government agencies.

When the SolarWinds hack was first disclosed, it was considered one of the most ambitious cyber-espionage campaigns ever uncovered.

U.S. intelligence agencies have blamed Russia, which again has repeatedly denied the allegations.

Initially when the news broke, Mimecast declined to comment whether or not the hack was related to the SolarWinds supply chain attack.

Read: The U.S. Government Fell For 'Solorigate', The Massive 'Grave Risk' Data Breach

This kind of attack is considered a sophisticated hack, considering that the certificate "enables their customers to connect certain Mimecast applications to their M365 tenant."

Since these certificates are the identity of Mimecast services authenticating to Microsoft cloud, they were legit. What this means, the hackers could have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.

Making things worse, it was possible that the hackers could also disable Office 365’s Mimecast protections altogether to make an email-borne attack more effective.

Following the news, Mimecast’s stock went down $2.40 per share (4.67%) to $49 per share in pre-market trading on Tuesday. This was the lowest the company’s stock has traded since December 15.

“The security of our customers is always our top priority,” Mimecast said in a statement.

“We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

"These statements are subject to future events, risks and uncertainties – many of which are beyond our control or are currently unknown to Mimecast," closed the company.