Fortalice Advisory on the Mimecast Certificate Compromise
On January 12, 2021, the email security provider Mimecast disclosed the compromise of certificates used to authenticate to the Microsoft365 Exchange Web Services. The notification provided to Mimecast from Microsoft indicated that several certificates issued by Mimecast had been compromised by a sophisticated threat actor. These certificates are used by some customers to authenticate connections from Mimecast Sync and Recover, Continuity Monitor, and IEP products to customers’ Microsoft 365 Exchange Web Services.
Currently, Mimecast has not disclosed the nature of the compromise or if the malicious actors were able to use the compromised certificates. These certificates would allow an adversary to conduct a“Man-in-the-middle” attack where they would be able to take control of the connection and view inbound and outbound data flows or gain access to theMicrosoft 365 Exchange Web Services from a compromised system on the customer's network. Additionally, an attacker could compromise the Mimecast infrastructure to authenticate to a customer’s Microsoft 365 Exchange Web Services. In either case, data contained within the customer’s Exchange Web Services could be at risk.
How to Protect Yourself Now:
Mimecast states that approximately 10 percent of customers utilize this type of connection and that their investigation has located only a single digit number of customers were targeted. Mimecast has requested that a subset of customers that are using certificates to authenticate to these services to delete their Microsoft 365 Exchange Web Services connection and establish a new connection with a new certificate that has been provided. The use of a new certificate should not impact security scanning or the inbound or outbound mail flow.
What Comes Next:
Mimecast has engaged a third-party forensics firm to conduct a detailed investigation to determine the cause of the certificate compromise.In addition, Mimecast is working closely with Microsoft to address any security issues related to the Exchange Web Services. If you are concerned about the security of your own connection to Mimecast or have any questions regarding this incident, please do not hesitate to reach out to us.
Fortalice's Threat and Incident Response Team is providing this advisory video to partners on recent developments associated with the HAFNIUM Threat Activity and Microsoft Exchange. The information is current as of March 2021.