Mimecast, an email security firm whose products are deployed widely in enterprises, said an attacker was able to steal a certificate that the company issued and customers use to authenticate to Microsoft 365 Exchange Web Services.
The attack gave the adversary the ability to impersonate customers that use that connection method, which Mimecast said is about 10 percent of its customer base. Mimecast officials said the attacker, which they did not identify, then used that access to specifically target a “low single digit” number of the company’s customers. The intrusion came to light when MIcrosoft notified Mimecast about the stolen certificate.
“Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor,” the company said in an announcement Tuesday.
“Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to remediate the issue.”
The attack bears the hallmarks of a high-level adversary, targeting not just a specific customer, but going after the certificate that customers use to secure their connections to the Microsoft 365 service. Attackers often use forged or stolen certificates to gain access to sensitive resources without triggering typical security alerts. Mimecast officials said that in response to the incident, they’ve revoked the stolen certificate.
“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning,” the announcement says.
The incident follows several weeks of revelations about the breach that began at SolarWinds and has spread to affect many private enterprises and government agencies that employ the SolarWinds Orion platform. One of the techniques used by the adversary behind that operation is to steal certificates used to sign SAML tokens. The attacker then used those tokens to access services that accept the SAML tokens for authentication, which often includes email services.
The Mimecast incident appears to be far more contained and focused than the SolarWinds intrusion, though. The company said that it has hired an outside forensics expert to investigate the intrusion.