Microsoft recently informed Mimecast that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor.
Approximately 10 percent of customers use this connection. Of those that do, there are indications that a low single digit number of customers’ M365 tenants were targeted. Mimecast have already contacted these customers to remediate the issue.
As a precaution, they are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate they have made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning.
When Microsoft informed Mimecast about the compromise of a Mimecast-issued certificate, they advised affected customers to break and re-establish their connections with newly issued keys. The vast majority of these customers have taken this action, and Microsoft has now disabled use of the former connection keys for all affected Mimecast customers.
They have launched an internal investigation, supported by leading third-party forensics experts, and are coordinating activities with law enforcement. The investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor.
The investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.