Email security company Mimecast has disclosed today that a “sophisticated threat actor” compromised one of the certificates the company issues for customers to securely connect Microsoft 365 Exchange to their services.
Mimecast discovered that the certificate was compromised after recently receiving a notification from Microsoft.
“Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor,” Mimecast said earlier today.
While the exact number of customers who used the stolen certificate to secure the connection used for Microsoft 365 cloud synchronization server tasks was not disclosed, Mimecast says that roughly 10 percent of their customers “use this connection.”
The company says that it currently has more than 36,000 customers, with 10% of them amounting to roughly 3,600 affected customers.
Mimecast also said that it found evidence that “a low single-digit number of our customers’ M365 tenants were targeted” by the threat actor who compromised the certificate. The company added that it reached out to these customers to remediate and address this issue.
“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” Mimecast added.
“Taking this action does not impact inbound or outbound mail flow or associated security scanning.”
The security of our customers is always our top priority. We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate. – Mimecast
While Mimecast did not say what type of certificate was compromised by the attackers, the statement published earlier today most likely refers to one of the Mimecast-issued Trusted SSL certificates customers have to install on their Exchange Client Access servers to secure the connection to the Microsoft 365 servers.
The regional certificates relative to customers’ accounts have to be uploaded to Microsoft 365 to create a Server Connection in Mimecast.
One of these self-issued certificates was compromised or stolen, which could have potentially allowed the threat actors to use it in man-in-the-middle (MiTM) attacks.
A Mimecast spokesperson told BleepingComputer earlier today that the investigation of this incident is still ongoing and that the company does not have additional information to share.