Mimecast Discloses Certificate Incident Possibly Related to SolarWinds Hack

Email security company Mimecast on Tuesday revealed that a sophisticated threat actor had obtained a certificate provided to certain customers.

According to Mimecast, it learned from Microsoft that hackers had compromised a certificate used to authenticate Mimecast Continuity Monitor, Internal Email Protect (IEP), and Sync and Recover products with Microsoft 365 Exchange Web Services.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” Mimecast said in a statement. “Taking this action does not impact inbound or outbound mail flow or associated security scanning.”

The company has not shared any details about the attacks abusing the compromised certificate, but some experts have speculated that the certificate may have allowed the hackers to intercept Mimecast customers’ communications.

Mimecast did say that roughly 10 percent of its customers used the impacted connection. The company claims to have over 36,000 customers across more than 100 countries, but the incident is believed to have impacted only “a low single digit number” of its customers’ Microsoft 365 tenants.

Mimecast said affected customers have been alerted and a third-party forensics firm has been called in to help investigate the incident.

According to Reuters, people with knowledge of the situation believe this incident may be related to the recently disclosed supply chain attack involving Texas-based IT management solutions provider SolarWinds.

The SolarWinds attack resulted in trojanized software updates being delivered to roughly 18,000 of the company’s customers. The attackers then delivered other payloads to a few hundred government and private organizations that presented an interest.

The attack on SolarWinds is believed to be the work of Russian cyberspies. The U.S. government said Russia is likely behind the attack and the malware used in the SolarWinds attack has been connected to a known Russian cyberspy group.

Related: 'Sunspot' Malware Used to Insert Backdoor Into SolarWinds Product in Supply Chain Attack

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Comodo Issued Most Certificates for Signed Malware on VirusTotal

Related: Sectigo Revokes Certificates Used to Sign Malware Following Recent Report

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.