Breach Notification , Encryption & Key Management , Incident & Breach Response

Mimecast Says Hackers Compromised Digital Certificate

Email Security Company Says Fewer Than 10 Customers Targeted
Mimecast Says Hackers Compromised Digital Certificate

Email security provider Mimecast says hackers compromised a digital certificate that encrypts data that moves between several of its products and Microsoft’s servers, putting organizations at risk of data loss.

See Also: 13 Essential Criteria to Consider For Cyber Resilience in IR & SoC Teams

The certificate, which is issued by Mimecast, encrypts data exchanged between the company’s Sync and Recover, Continuity Monitor and Internal Email Protect products and Microsoft 365 Exchange Web Services.

Mimecast, which is based in London, says that 10% of its customers, or about 3,900, use this type of connection between its products and Microsoft. In its last earnings call in November 2020, Mimecast reported it has 39,200 customers around the world.

The company believes that fewer than 10 of those 3,900 customers were targeted as a result of the certificate compromise. It did not identify those customers, although it says they have been contacted.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” Mimecast says in a statement. “Taking this action does not impact inbound or outbound mail flow or associated security scanning.”

Few Details Released

Microsoft alerted Mimecast to the problem. Mimecast says it's working with Microsoft as well as law enforcement officials and has hired a third-party forensics expert.

Mimecast didn’t describe how it was compromised or if there were other effects. A spokesman offered no further comment.

“Based on Mimecast’s statements, the attacks were targeted at specific customers, but without more, we can only guess at what the attackers were after.”
— Saryu Nayyar, CEO, Gurucul

How hackers could leverage the compromised certificate is difficult to determine based on the limited information released by Mimecast, says Saryu Nayyar, CEO of the analytics security specialist Gurucul. But in the worst-case scenario, the hackers may be able to interfere with email, secure file backups, archives and more, Nayyar says.

Mimecast acts as a mail transfer agent for Microsoft’s Office365 email system. Mimecast's products sit in between Office365 and their client, performing security actions such as filtering spam and malware, before the content is passed on, Nayyar says.

“We simply don’t know based on what’s been reported how extensive the access was,” she says. “Based on Mimecast’s statements, the attacks were targeted at specific customers, but without more, we can only guess at what the attackers were after.”

Reuters reports that three cybersecurity investigators believe the Mimecast certificate compromise may be connected to the complex SolarWinds supply-chain hack, whose effects continue to rattle enterprises and government agencies (see: SolarWinds Describes Attackers' 'Malicious Code Injection').

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.