Approximately 10% of email and web security specialist Mimecast customers may be at risk of compromise by malicious actors after a company certificate used to authenticate various services to Microsoft Office 365 Exchange Web Services has been compromised by “a sophisticated threat actor”.
Mimecast disclosed the incident today after being informed of the issue by Microsoft. The affected products are Mimecast Sync and Recover Continuity Monitor and IEP (Internal Email Protect).
The firm said it had seen indications that a low single-digit number of its customers’ Office 365 tenants were targeted through the intrusion.
In a statement detailing the incident, Mimecast said: “The security of our customers is always our top priority. We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”
A Mimecast spokesperson declined further comment to news agency Reuters. Still, as a precaution, the company has said it is now asking the subset of its customers that use this certificate-based connection to cease using it immediately and re-establish a new certificate-based connection with a new certificate it is making available.
Taking this action will not affect any in- or outbound email flows or associated email scanning.
Citing anonymous sources familiar with the ongoing investigation, Reuters’ report stated this compromise might relate in some way to the SolarWinds Orion Solorigate/Sunburst attack, or maybe the work of the same group, which is likely backed by the Russian state.
The Solorigate attack, the consequences of which are still unfolding, targeted numerous US government bodies through tainted SolarWinds software updates.
The backdoor used – which shares coding similarities with another backdoor used by Russia-linked advanced persistent threat (APT) actors – was also used to attack FireEye, which lost control of several red team hacking tools it uses to conduct penetration testing exercises on its customers’ systems. Several other IT companies, including Cisco, Intel, Nvidia, and VMware, also received the malicious sore update.