Skip to main content
banner image
venafi logo

Supply Chain Attack Targets Mimecast Digital Certificates

Supply Chain Attack Targets Mimecast Digital Certificates

January 27, 2021 | Alexa Hernandez

UPDATE (12/27) Mimecast has confirmed that their certificate compromise was perpetrated by the same threat actor behind the SolarWinds hack and gave hackers access to customers’ on-premises and cloud services. 

According to Mimecast, "Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."

Venafi Vice President, Security Strategy and Threat Intelligence, Kevin Bocek, warns, “The age of the cloud breach is here, and the most valuable assets in the cloud are machine identities like TLS keys and certificates. Machine identities establish are used to authenticate devices, services and software. More importantly, they control the flow of sensitive data.”

ORIGINAL POST (12/13) Mimecast, a cloud email management service, was recently the target of a supply chain attack by a “sophisticated threat actor” who compromised and apparently misused a trusted digital certificate. This attack on machine identities has left thousands of Mimecast customers vulnerable to attack, and could have serious long-term repercussions for the London-based email software company.

Understanding how and why attacks against trust such as these occur can allow you to develop your own machine identity management strategy with the latest best practices and existing threats at top of mind, ensuring your organization stays secure!

What Happened and How Did Mimecast Handle It?

Mimecast, a cloud email management software company, recently announced that one of the certificates that was used to authenticate their Microsoft 365 Exchange Web Services was “compromised by a sophisticated threat actor”.

It’s likely that the compromised certificate in question is a Mimecast-issued trusted SSL/TLS certificate that customers install on their Exchange Client Access servers, securing the connection to Microsoft 365 servers.

In a short statement, Mimecast indicated that around 10 percent of its customers used impacted certificates. While the statement indicates that up to 3,600 of their 36,000 customers could be potentially compromised, Mimecast did specify that they expect that a “low single digit number of customers” were actually targeted.

Mimecast was made aware of this attack by Microsoft, and they do intend to disable the certificate’s use for Microsoft 365 effective January 18th, 2021. However, until the certificate can be suspended, Mimecast has issued a new, secure certificate and is urging all customers to re-establish their connections to Microsoft with the renewed authentication. To reassure customers, Mimecast did state that “taking this action does not impact inbound or outbound mail flow or associated security scanning”.

How Will This Attack Impact Mimecast Moving Forward?

Due to the nature of the attack, there has been speculation that there is a connection between this incident and the SolarWinds hack from early January. The use of third-party software to compromise targets has led to the conclusion that the same “sophistication attackers” involved in the Mimecast hack were those who perpetrated the SolarWinds hack, and breached multiple government agencies.

Mimecast has not yet commented on this theory, and a spokesperson for the email company has continued to maintain that their “investigation is ongoing and we don’t have anything additional to share at this time. All updates from Mimecast will be delivered through our blog”.

The danger of a hack like this cannot be overstated. A certificate compromise for even a percentage of Mimecast’s users means it is possible for these malicious actors to eavesdrop on or even infiltrate their targets’ Microsoft 365 Exchange Web Servers, allowing them to extract confidential communications and information. Another possible angle of these hackers is to disable Microsoft’s Mimecast protections, allowing a second “email-borne” attack to cause even further damage.

This compromise of a machine identity is exactly the type of hack that Venafi machine identity management can protect users from. Learn more about how machine identity management can protect your network from attackers that would circumvent your security protocols or pivot across your network!

Related posts

Like this blog? We think you will love this.
Featured Blog

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more