Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack

mimecast certificate compromise

A sophisticated threat actor has hijacked email security connections to spy on targets.

A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services has been “compromised by a sophisticated threat actor,” the company has announced.

Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question is used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).

A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information.

2020 Reader Survey: Share Your Feedback to Help Us Improve

“The certificates that were compromised were used by Mimecast email security products,” Terence Jackson, CISO at Thycotic, told Threatpost. “These products would access customers Microsoft 365 exchange servers in order for them to provide security services (backup, spam and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”

There would be additional steps necessary for the attacker to compromise sensitive information, according to Chris Clements, vice president of Solutions Architecture at Cerberus Sentinel.

“They don’t appear to have identified the exact nature and use case for the certificate compromised but two possibilities are likely,” he told Threatpost. “First, if the stolen certificate was used for Mimecast customers to verify the validity of the servers their users’ connect to (user -> Mimecast), it would allow an attacker that was able to man-in-the middle the user to server connection to easily decrypt the encrypted data stream and access potentially sensitive information.”

This would require the attackers to have compromised a device in the data path between the Mimecast customer’s users and servers; be present on the same local network to perform an ARP spoofing attack; or simply be connected to the same open Wi-Fi network.

“The other much worse possibility is that the stolen certificate was used to authenticate from Mimecast servers directly to Microsoft 365 (Mimecast -> MS365),” he said. “If this were the case and no other security controls limiting access were in place, attackers with this certificate could potentially use it to connect directly to Microsoft and access all of the customer’s data.”

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Threatpost that attackers could also possibly disable Office 365’s Mimecast protections altogether to make an email-borne attack more effective.

“This would allow access to mail hosted on Office 365, possibly disable certain services like threat protection and alerts, and possibly more,” he said. “This is a compromise of a machine identity: the certificate is the identity of Mimecast services authenticating to Microsoft cloud.”

Mimecast Remains Mum

When reached for comment, a Mimecast spokesperson only said, “Our investigation is ongoing and we don’t have anything additional to share at this time. All updates from Mimecast will be delivered through our blog.”

Mimecast, in a short online posting on Tuesday, said that about 10 percent of its customers use the affected connections. It notes on its website that it has around 36,000 customers, so 3,600 could be potentially compromised. The company went on to say that out of those, “there are indications that a low single digit number of our customers’ Microsoft 365 tenants were targeted. We have already contacted these customers to remediate the issue.”

The hack was brought to Mimecast’s attention by Microsoft, which plans to disable the certificate’s use for Microsoft 365 starting on Jan. 18. In the meantime, Mimecast has issued a new certificate and is urging users to re-establish their connections with the fresh authentication.

The attack is reminiscent of the recently discovered SolarWinds hacks, because of the use of third-party software to reach targets. And indeed, researchers speaking anonymously to Reuters about the Mimecast incident told the outlet that they suspected the same advanced persistent threat responsible for the SolarWinds supply-chain attack is at work here.

Mimecast declined to comment on that assessment.

“The attack against Mimecast and their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies,” Saryu Nayyar, CEO at Gurucul, said via email. “This shows the skill and tenacity state and state-sponsored actors can bring to bear when they are pursuing their agenda. Against this sort of opponent, civilian organizations will need to up their game if they don’t want to become the next headline. Basic cybersecurity is not enough. Organizations need to employ industry best practices, and then go farther with user education, programs to review and update their security, and deploying best in breed security solutions…The long-term advantage is that defenses designed to resist a state-level attack should be more than enough to thwart the more common cybercriminal.”

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.




Suggested articles