Cyber Incident Victim: Mimecast
Date:
Jan 2021
Location:
United States of America
Summary
Mimecast disclosed that a sophisticated threat actor compromised a security certificate protecting connections between its products and Microsoft's cloud services, enabling unauthorized surveillance of customer communications. The breach, detected through collaboration with Microsoft, impacted approximately 10% of the firm's customer base, though only a minimal number were confirmed as directly targeted. Attackers exploited this access to hijack the company's email security tools for espionage purposes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 12, 2021, email security provider Mimecast disclosed that a sophisticated threat actor had compromised its systems to spy on customers. The attackers targeted a digital certificate Mimecast used to authenticate connections between its products and Microsoft’s cloud services, enabling unauthorized access to customer communications. Microsoft’s security team identified the breach and alerted Mimecast, prompting an immediate investigation. Mimecast confirmed the certificate’s compromise allowed the threat actor to intercept or manipulate data flows between its services and Microsoft 365 environments. The company stated approximately 10% of its global customer base—representing over 3,600 organizations out of more than 36,000—experienced some level of exposure due to the hijacked authentication mechanism. While most affected customers faced broad infrastructure vulnerabilities, Mimecast assessed that only a “low single digit number” of users were singled out for focused surveillance. The incident highlighted risks in third-party supply chain integrations, particularly for email security systems handling sensitive organizational communications.
Mimecast initiated containment measures by revoking the compromised certificate and deploying a replacement to restore secure connections with Microsoft’s services. The company collaborated with Microsoft’s investigators to trace the attack’s scope and identify impacted customers. No details were disclosed regarding the duration of unauthorized access prior to detection or the specific data exfiltrated. Mimecast notified all affected organizations and advised them to implement the new certificate while auditing their Microsoft 365 tenant logs for anomalies. The breach underscored the operational reliance on certificate-based trust models and their potential exploitation by advanced adversaries. Mimecast’s public statement did not attribute the attack to any known threat group or disclose technical specifics about the certificate’s compromise method. Remediation efforts focused on certificate renewal, customer notifications, and reinforcing internal security controls to prevent similar incidents.