Hackers steal Mimecast certificate used to encrypt customers’ M365 traffic

Hackers steal Mimecast certificate used to encrypt customers’ M365 traffic

Email management provider Mimecast said that hackers have compromised a digital certificate it issued and used it to target select customers who use it to encrypt data they sent and received through the company’s cloud-based service.

In a post published on Tuesday, the company said that the certificate was used by about 10 percent of its customer base, which—according to the company—numbers about 36,100. The “sophisticated threat actor” then likely used the certificate to target “a low single digit number” of customers using the certificate to encrypt Microsoft 365 data. Mimecast said it learned of the compromise from Microsoft.

Certificate compromises allow hackers to read and modify encrypted data as it travels over the Internet. For that to happen, a hacker must first gain the ability to monitor the connection going into and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that store private encryption keys. That access usually requires deep-level hacking or insider access.

The Mimecast post didn’t describe what type of certificate was compromised, and a company spokesman declined to elaborate. This post, however, discusses how customers can use a certificate provided by Mimecast to connect their Microsoft 365 servers to the company’s service. Mimecast provides seven different certificates based on the geographic region of the customer.

Delete! Delete!

Mimecast is directing customers who use the compromised certificate to immediately delete their existing Microsoft 365 connection with the company and re-establish a new connection using a replacement certificate. The move won’t affect inbound or outbound mail flow or security scanning, Tuesday’s post said.

The disclosure comes a month after the discovery of a major supply chain attack that infected roughly 18,000 customers of Austin, Texas-based SolarWinds with a backdoor that gave access to their networks. In some cases—including one involving the US Department of Justice—the hackers used the backdoor to take control of victims’ Office 365 systems and read email they stored. Microsoft, itself a victim in the hack, has played a key role in investigating it. The type of backdoor pushed to SolarWinds customers would also prove valuable in compromising a certificate.

It’s way too early to say that the Mimecast event is connected to the SolarWinds hack campaign, but there’s no denying that some of the circumstances match. What’s more, Reuters reported that three unnamed cybersecurity investigators said they suspect the Mimecast certificate compromise was carried out by the same hackers behind the SolarWinds campaign.