Mimecast, a global email security provider, on Tuesday said that one of its software security certificates had been breached by a “sophisticated threat actor” in a targeted operation to access customer emails.
London-based Mimecast has a sprawling footprint, claiming some 39,000 customers around the world. The company said 10% of its customers use the particular software implementation involved in the breach, adding that attackers apparently targeted “a low single-digit number” of customers.
The illicit access would have allowed attackers to spy on Mimecast clients.
The hackers’ methods, and the fact that they targeted Microsoft’s cloud-based email services, have parallels with a suspected Russian hacking campaign that has used tainted software made by contractor SolarWinds to breach multiple U.S. government agencies. A person familiar with the matter told CyberScoop that investigators are examining whether the same attackers who breached SolarWinds also infiltrated Mimecast, a detail first reported by Reuters.
“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their [Microsoft 365] tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” Mimecast said in a statement.
The attackers behind the SolarWinds’ compromises have used multiple techniques to burrow their way into U.S. government and corporate networks. U.S. Department of Homeland Security officials said last week that the hackers had been assigning tokens and certificates to existing Microsoft 365 software to make it harder for forensic teams to find them.
Microsoft, which has played a key role in investigating the SolarWinds’ breach, told Mimecast it had been compromised, Mimecast said. A Microsoft spokesperson did not immediately respond to a request for comment on Wednesday on whether the same attackers could be responsible.
Mimecast said it had enlisted a “third-party forensic expert” to help investigate. A Mimecast spokesperson declined to comment on who might be behind the breach, citing an ongoing investigation.