Septu comment: A Mimecast security certificate that authenticates certain products used with Microsoft 365 Exchange Web Services has allegedly been hacked, potentially giving the attackers access to the the emails of certain users. They say that ‘only a low single-digit number’ of Microsoft 365 tenants have been affected. The attack is being linked to the recently revealed SolarWinds compromise. Mimecast is an independent company that specialises in Microsoft email services such as its Secure Email Gateway.

Users of a specific Mimecast certificate used to authenticate services to Microsoft Office 365 may be at risk of compromise in an attack that may relate to the ongoing SolarWinds incident

Approximately 10% of customers of email and web security specialist Mimecast may be at risk of compromise by malicious actors, after a company certificate used to authenticate various services to Microsoft Office 365 Exchange Web Services has been compromised by “a sophisticated threat actor”.

Mimecast disclosed the incident today after being informed of the issue by Microsoft. The affected products are Mimecast Sync and RecoverContinuity Monitor, and IEP (Internal Email Protect).

The firm said that it had seen indications that a low single-digit number of its customers’ Office 365 tenants were targeted through the intrusion.

In a statement detailing the incident, Mimecast said: “The security of our customers is always our top priority. We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

A Mimecast spokesperson declined further comment to news agency Reuters, but as a precaution, the company has said it is now asking the subset of its customers that use this certificate-based connection to cease using it immediately, and re-establish a new certificate-based connection with a new certificate it is making available.

It added that taking this action will not affect any in- or outbound email flows, or associated email scanning.

Citing anonymous sources familiar with the ongoing investigation, Reuters’ report went on to state it was possible that this compromise relates in some way to the SolarWinds Orion Solorigate/Sunburst attack, or may be the work of the same group, which is likely backed by the Russian state.

The Solorigate attack, the consequences of which are still unfolding, targeted numerous US government bodies through tainted SolarWinds software updates.

The backdoor used – which shares coding similarities with another backdoor used by Russia-linked advanced persistent threat (APT) actors – was also used to attack FireEye, which lost control of a number of red team hacking tools it uses to conduct penetration testing exercises on its customers’ systems.

A number of other IT companies, including Cisco, Intel, Nvidia and VMware, also received the malicious software update.

From:  computer weekly