Mimecast could also be a potential victim of the recent SolarWinds hack because the company revealed that one of its certificates was being used to authenticate its products with Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat.
The email and data security company said the compromised certificate is being used to authenticate its Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products. However, it was not Mimecast that discovered the compromised certificate but rather Microsoft .
In a blog post informing its users of the compromised certificate, Mimecast explained that 10% of its customers are affected, stating:
"Appr about 10% of our customers use this connection. Of those that do, it appears that a low single-digit number of M365 tenants from our clients has been targeted. We have already contacted these customers to resolve the issue.The safety of our customers is always our top priority. We have engaged a third-party forensic expert to assist us with our investigation and will work closely with Microsoft and law enforcement as appropriate.
Mimecast advises the 10% of its customer base using the compromised certificate to immediately remove the existing connection in their Microsoft 365 tenant. These customers must then reestablish a new connection using a new certificate provided by the company.
In a statement to CRN, a Microsoft spokesperson said it would block the compromised certificate, saying:
" We can confirm that acertificate provided by Mimecast has been compromised by a sophisticated actor. This certificate allows their customers to connect certain Mimecast applications to their M365 client. At the request of Mimecast, we are blocking this certificate on Monday January 18, 2021. ”
The reason Mimecast may have been attacked by the same threat actor behind the SolarWinds hack is because these Hackers often add authentication tokens and credentials to Microsoft Active Directory domain accounts in order to maintain persistence on a network and gain elevation of privilege. According to CISA , these tokens allow access to both an organization. premises and hosted resources.
Mimecast is currently investigating the matter further and we will likely find out if there is a connection to the SolarWinds hack one fAfter the investigation of the company was completed.