Mimecast said on Tuesday that "a sophisticated threat actor" had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange.

The discovery was made after the breach was notified by Microsoft, the London-based company said in an alert posted on its website, adding it's reached out to the impacted organizations to remediate the issue.

The company didn't elaborate on what type of certificate was compromised, but Mimecast offers seven different digital certificates based on the geographical location that must be uploaded to M365 to create a server Connection in Mimecast.


"Approximately 10 percent of our customers use this connection," the company said. "Of those that do, there are indications that a low single digit number of our customers' M365 tenants were targeted."

Mimecast is a cloud-based email management service for Microsoft Exchange and Microsoft Office 365, offers users email security and continuity platform to safeguard them from spam, malware, phishing, and targeted attacks.

The compromised certificate is used to verify and authenticate Mimecast Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to M365 Exchange Web Services.

A consequence of such a breach could result in a man-in-the-middle (MitM) attack, where an adversary could potentially take over the connection and intercept email traffic, and even steal sensitive information.

As a precaution to prevent future abuse, the company said it's asked its customers to delete the existing connection within their M365 tenant with immediate effect and re-establish a new certificate-based connection using the new certificate that it has made available.


"Taking this action does not impact inbound or outbound mail flow or associated security scanning," Mimecast stated in its advisory.

An investigation into the incident is ongoing, with the company noting that it will work closely with Microsoft and law enforcement as appropriate.

The development comes as Reuters, citing sources, said the hackers who compromised Mimecast were the same group that breached U.S. software maker SolarWinds and a host of sensitive U.S. government agencies.

"Our investigation is ongoing and we don't have anything additional to share at this time," a spokesperson for the company told The Hacker News.

UPDATE (26 Jan, 2021): Mimecast Breach Linked to SolarWinds Hack

Mimecast on Tuesday formally confirmed that the attackers behind the SolarWinds hack were responsible for compromising a digital certificate the firm provided to secure connections to Microsoft 365 (M365) Exchange.

"Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor," the company said in an update.

"Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials."

The investigation revealed that the threat actor accessed and potentially exfiltrated certain encrypted service account credentials created by customers hosted in the U.S. and the United Kingdom.

The credentials are used to establish connections from Mimecast tenants to on-premise and cloud services, such as LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.

"It is clear that this incident is part of a highly sophisticated large-scale attack and is focused on specific types of information and organizations."

Besides Mimecast, Palo Alto Networks and Fidelis Cybersecurity have also confirmed trojanized versions of the SolarWinds Orion software in their environments, taking the number of cybersecurity vendors targeted by the hackers to seven.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.