Full Report
Email security firm Mimecast has had its digital certificate compromised giving threat actors access to private customer communications.
Analysis Summary
# Incident Report: Mimecast Digital Certificate Compromise
## Executive Summary
Email security firm Mimecast experienced a compromise of its digital certificate used for securing connections between its products and Microsoft 365 services. This compromise allowed threat actors to potentially decrypt, read, or modify private customer communications for a small subset of affected customers. Microsoft notified Mimecast, leading to immediate outreach to the impacted percentage of users for remediation.
## Incident Details
- Discovery Date: Unknown (Microsoft informed Mimecast)
- Incident Date: Prior to January 13, 2021 (Date of public announcement)
- Affected Organization: Mimecast (Email Security Vendor)
- Sector: Technology / Email Security
- Geography: Jersey-domiciled, UK-headquartered company (Global customer base)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, prior to disclosure.
- Vector: Compromise of a highly secured internal system holding private encryption keys/digital certificate.
- Details: The digital certificate used to protect data connections between Mimecast products and Microsoft 365 services was compromised. This attack often implies a significant level of sophistication or insider access, given the security required for encryption keys.
### Lateral Movement
- *Not explicitly detailed in the context.* Implied movement within Mimecast's certificate management infrastructure to obtain the private key.
### Data Exfiltration/Impact
- Date/Time: Not specified.
- Details: Threat actors could decrypt, read, and modify data flowing through the compromised certificate connection. Approximately 10% of Mimecast customers used this connection, with indications that a "low single digit number" of these customers' M365 tenants were targeted.
### Detection & Response
- Date/Time: Microsoft informed Mimecast, initiating the response.
- Details: Mimecast announced the issue and contacted the specific, small subset of affected customers to initiate remediation procedures (deleting the old connection and reconnecting with a replacement certificate).
## Attack Methodology
- Initial Access: Compromise of highly secure internal systems storing private encryption keys/digital certificates.
- Persistence: Not detailed, but the compromise of the certificate itself grants immediate, ongoing ability to intercept traffic related to that certificate.
- Privilege Escalation: Not detailed, but likely involved achieving high-level access to secure key management systems.
- Defense Evasion: Not detailed. The method bypasses standard application-layer security by targeting the underlying encryption mechanism.
- Credential Access: Not detailed. The primary target was the encryption key/certificate, not user credentials, though certificate use facilitates session hijacking/impersonation.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Decryption, reading, and modification of sensitive customer email communications passing through the affected Microsoft 365 connections.
- Exfiltration: Not detailed, though the ability to read implies potential exfiltration.
- Impact: Eavesdropping on and tampering with customer communications.
## Impact Assessment
- Financial: Not quantified.
- Data Breach: Private customer communications protected by the certificate were exposed or modifiable. Affecting roughly "a low single digit number" of M365 tenants among the 10% of customers utilizing that specific connection.
- Operational: Affected customers had to immediately reconfigure their Microsoft 365 connections.
- Reputational: Negative impact on Mimecast's reputation as an email security provider.
## Indicators of Compromise
- Network indicators: Certificate chain anomalies related to Mimecast/Microsoft 365 communication (Defanged: `secure[.]mimecast[.]com` traffic using the compromised certificate).
- File indicators: Not specified.
- Behavioral indicators: Unexplained decryption or modification of secure traffic flows between Mimecast integrations and M365 tenants.
## Response Actions
- Containment measures: The immediate primary action was advising impacted customers to **delete their current Microsoft 365 connection and reestablish it using a replacement certificate.**
- Eradication steps: Issuing and deploying a new, uncompromised digital certificate for the respective services.
- Recovery actions: For targeted customers, the recovery involved re-establishing trusted, secure communication channels.
## Lessons Learned
- The security posture surrounding private encryption keys and digital certificates must be exceptionally robust, as compromise grants powerful, broad access (similar to the SolarWinds attack vector).
- If the attack involved sophisticated hacking rather than insider access, the security controls protecting the key repository were insufficient.
- The precise targeting ("low single digit number" of tenants) suggests a highly surgical operation despite the potential for broad impact.
## Recommendations
- Review and strengthen the physical and logical security protocols surrounding the storage and management of all private encryption keys and digital signing certificates.
- Implement multi-factor authentication and strict access controls (Principle of Least Privilege) for systems managing high-value cryptographic assets.
- Increase monitoring of certificate usage patterns and connection metadata to quickly detect anomalous decryption or session hijacking activities.