Impacted organizations were using Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products for Microsoft 365 Exchange Web Services (M365, formerly Office 365), and the breach was related to a digital certificate used to authenticate the connection between Mimecast and the M365 service. Malicious actors appear to have compromised the certificate, though no specific details were provided publicly. According to Mimecast, a very small number of customers were directly impacted. Mimecast has already notified the customers who they suspect were compromised. At Coalition, we scan to identify potential vulnerabilities related to technology use and have identified an extremely small number (<2%) of our customers who could potentially be affected.
Similar to other recent attacks, this breach is an attack against an organization's supply chain. Organizations may have been compromised by way of their email security vendor, indicating the scope of cybersecurity risk management extends beyond the organization’s own boundary — they also must consider all of the vendors, partners, and third-party software that have access to their data.
A compromise at a service provider, such as a set of phished user credentials or malware installed on a system, can be used to grant the attacker access to your organization, especially if the compromised vendor system has highly privileged access to sensitive systems or data. The compromised certificates were used to grant Mimecast’s services access to email servers and accounts hosted by Microsoft. Note there is no indication of a breach at Microsoft, but the scope of the breach includes two vendors: Microsoft for email and Mimecast for security.
Email is a rich source of data for attackers. It contains a wealth of sensitive company information and can be used to perform further malicious activities, such as sending phishing emails that appear legitimate and come from a known, trusted source. At Coalition, email and phishing attacks were the root cause of 54% of reported events in 2020, and we saw a 67% increase in reported claims from 2019 to 2020. This breach further highlights the vulnerability of email as a communication channel.
Mimecast asked all customers who use the services to delete the existing Mimecast-to-M365 connection re-establish it with a new certificate as a precaution. Microsoft alerted Mimecast of the issue, though Microsoft has not issued any public information about the breach. Mimecast has stated they are working with both Microsoft and law enforcement on the issue.
If you are using Microsoft 365 email and Mimecast for email security, read any instructions that come from Mimecast thoroughly and act as needed; if you use Mimecast but are unsure if you’re impacted, reach out to their Customer Success team. If you’re not sure whether you use Mimecast or which Mimecast products you’re using (and there are quite a few), check with your IT team or hosting provider to verify and take action accordingly. As always, be vigilant when using email, and finally, keep tabs on the situation by monitoring the Mimecast blog, where updates on this situation are being posted.