Hackers Use Mimecast Certificate to Access Microsoft Accounts

January 14, 2021

On Jan. 12, 2021, the cloud-based email security and management provider Mimecast disclosed that one of its digital certificates, used by approximately 10 percent of its customers, was hacked and used to access some of its client’s Microsoft 365 accounts. A digital certificate is a form of identity authentication that uses encryption keys for verification, indicating a user is who the user claims to be.

In its public disclosure, Mimecast asserts that the risk to most users is low, as early indications show that a low “single digit number of customers’ M365 tenants were targeted” and have already been contacted by Mimecast.

Steps to Mitigate Threat

Out of an abundance of caution, Mimecast recommends customers who used the certificate to:

1. Authenticate Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services;
2. Immediately delete the existing connection within their M365 tenant; and
3. Re-establish a new certificate-based connection.” This accounts for about 10% of Mimecast’s customer base.

Microsoft announced it will be blocking the compromised certificate on Jan. 18, 2021, and that customers not using Mimecast are not affected by the compromise.

Mimecast has not commented on whether the hack was related to the massive SolarWinds attack that was uncovered in December of last year and is still under investigation. However, Mimecast is working with law enforcement, Microsoft, and other third-party entities to investigate this incident.