Mimecast breach investigators probe possible SolarWinds connection

The illicit access would have allowed attackers to spy on Mimecast clients.
fraud, scam, phishing, business email compromise (BEC), malware, cybercrime
(Getty Images)

Mimecast, a global email security provider, on Tuesday said that one of its software security certificates had been breached by a “sophisticated threat actor” in a targeted operation to access customer emails.

London-based Mimecast has a sprawling footprint, claiming some 39,000 customers around the world. The company said 10% of its customers use the particular software implementation involved in the breach, adding that attackers apparently targeted “a low single-digit number” of customers.

The illicit access would have allowed attackers to spy on Mimecast clients.

The hackers’ methods, and the fact that they targeted Microsoft’s cloud-based email services, have parallels with a suspected Russian hacking campaign that has used tainted software made by contractor SolarWinds to breach multiple U.S. government agencies. A person familiar with the matter told CyberScoop that investigators are examining whether the same attackers who breached SolarWinds also infiltrated Mimecast, a detail first reported by Reuters.


“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their [Microsoft 365] tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” Mimecast said in a statement.  

The attackers behind the SolarWinds’ compromises have used multiple techniques to burrow their way into U.S. government and corporate networks. U.S. Department of Homeland Security officials said last week that the hackers had been assigning tokens and certificates to existing Microsoft 365 software to make it harder for forensic teams to find them.

Microsoft, which has played a key role in investigating the SolarWinds’ breach, told Mimecast it had been compromised, Mimecast said. A Microsoft spokesperson did not immediately respond to a request for comment on Wednesday on whether the same attackers could be responsible.

Mimecast said it had enlisted a “third-party forensic expert” to help investigate. A Mimecast spokesperson declined to comment on who might be behind the breach, citing an ongoing investigation.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts