A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, Mimecast disclosed Tuesday.

The Lexington, Mass.-based email security vendor said the certificate used to authenticate its Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 has been compromised. Mimecast said it was recently informed of the compromise by Microsoft.

Mimecast’s stock is down $2.40 per share (4.67 percent) to $49 per share in pre-market trading Tuesday, which is the lowest the company’s stock has traded since Dec. 15. Mimecast declined to answer questions about whether the compromise of its certificate was carried out by the same threat actor who for months injected malicious code into the SolarWinds Orion network monitoring tool.

Approximately 10 percent of Mimecast’s customers use the compromised connection, according to the company. Of those that do, Mimecast said currently indications are that a low single digit number of Mimecast customers’ Microsoft 365 tenants were actually targeted. Mimecast said it has already contacted the customers with targeted Microsoft 365 tenants to remediate the issue.

“The security of our customers is always our top priority,” Mimecast said in a statement issued Tuesday morning. “We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

Mimecast said it’s asking the 10 percent of its customer base using this certificate-based connection to Microsoft 365 to immediately delete the existing connection within their Microsoft 365 tenant. Customers should then re-establish a new certificate-based connection using a new certificate that Mimecast has made available, according to the company.

“We can confirm that a certificate provided by Mimecast was compromised by a sophisticated actor,” a Microsoft spokesperson told CRN in a statement. “This certificate enables their customers to connect certain Mimecast applications to their M365 tenant. At Mimecast’s request, we are blocking this certificate on Monday, January 18, 2021.”

One of the SolarWinds hackers’ primary persistence and escalation mechanisms has been adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Dec. 17. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

One of the main ways the Russian hackers have collected victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

Microsoft, however, said Dec. 31 that it hasn’t any found any evidence that the SolarWinds hackers abused forged SAML tokens against the company’s own corporate domains. The colossal SolarWinds hacking campaign is believed to have been carried out by the Russian foreign intelligence service, or APT29.

Microsoft disclosed Dec. 31 that an account compromised by suspected Russian hackers had been used to view source code in a number of source code repositories, but none of the code itself was altered. The compromised Microsoft account didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.

A week earlier, CrowdStrike disclosed that the hackers behind the SolarWinds attack had attempted to hack the company through a Microsoft reseller’s Azure account but were ultimately unsuccessful. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email.

A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, Mimecast disclosed Tuesday.

The Lexington, Mass.-based email security vendor said the certificate used to authenticate its Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 has been compromised. Mimecast said it was recently informed of the compromise by Microsoft.

Mimecast’s stock is down $2.40 per share (4.67 percent) to $49 per share in pre-market trading Tuesday, which is the lowest the company’s stock has traded since Dec. 15. Mimecast declined to answer questions about whether the compromise of its certificate was carried out by the same threat actor who for months injected malicious code into the SolarWinds Orion network monitoring tool.

Approximately 10 percent of Mimecast’s customers use the compromised connection, according to the company. Of those that do, Mimecast said currently indications are that a low single digit number of Mimecast customers’ Microsoft 365 tenants were actually targeted. Mimecast said it has already contacted the customers with targeted Microsoft 365 tenants to remediate the issue.

“The security of our customers is always our top priority,” Mimecast said in a statement issued Tuesday morning. “We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

Mimecast said it’s asking the 10 percent of its customer base using this certificate-based connection to Microsoft 365 to immediately delete the existing connection within their Microsoft 365 tenant. Customers should then re-establish a new certificate-based connection using a new certificate that Mimecast has made available, according to the company.

“We can confirm that a certificate provided by Mimecast was compromised by a sophisticated actor,” a Microsoft spokesperson told CRN in a statement. “This certificate enables their customers to connect certain Mimecast applications to their M365 tenant. At Mimecast’s request, we are blocking this certificate on Monday, January 18, 2021.”

One of the SolarWinds hackers’ primary persistence and escalation mechanisms has been adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Dec. 17. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

One of the main ways the Russian hackers have collected victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

Microsoft, however, said Dec. 31 that it hasn’t any found any evidence that the SolarWinds hackers abused forged SAML tokens against the company’s own corporate domains. The colossal SolarWinds hacking campaign is believed to have been carried out by the Russian foreign intelligence service, or APT29.

Microsoft disclosed Dec. 31 that an account compromised by suspected Russian hackers had been used to view source code in a number of source code repositories, but none of the code itself was altered. The compromised Microsoft account didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.

A week earlier, CrowdStrike disclosed that the hackers behind the SolarWinds attack had attempted to hack the company through a Microsoft reseller’s Azure account but were ultimately unsuccessful. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email.

A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, Mimecast disclosed Tuesday.

The Lexington, Mass.-based email security vendor said the certificate used to authenticate its Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 has been compromised. Mimecast said it was recently informed of the compromise by Microsoft.

Mimecast’s stock is down $2.40 per share (4.67 percent) to $49 per share in pre-market trading Tuesday, which is the lowest the company’s stock has traded since Dec. 15. Mimecast declined to answer questions about whether the compromise of its certificate was carried out by the same threat actor who for months injected malicious code into the SolarWinds Orion network monitoring tool.

Approximately 10 percent of Mimecast’s customers use the compromised connection, according to the company. Of those that do, Mimecast said currently indications are that a low single digit number of Mimecast customers’ Microsoft 365 tenants were actually targeted. Mimecast said it has already contacted the customers with targeted Microsoft 365 tenants to remediate the issue.

“The security of our customers is always our top priority,” Mimecast said in a statement issued Tuesday morning. “We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

Mimecast said it’s asking the 10 percent of its customer base using this certificate-based connection to Microsoft 365 to immediately delete the existing connection within their Microsoft 365 tenant. Customers should then re-establish a new certificate-based connection using a new certificate that Mimecast has made available, according to the company.

“We can confirm that a certificate provided by Mimecast was compromised by a sophisticated actor,” a Microsoft spokesperson told CRN in a statement. “This certificate enables their customers to connect certain Mimecast applications to their M365 tenant. At Mimecast’s request, we are blocking this certificate on Monday, January 18, 2021.”

One of the SolarWinds hackers’ primary persistence and escalation mechanisms has been adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Dec. 17. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

One of the main ways the Russian hackers have collected victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

Microsoft, however, said Dec. 31 that it hasn’t any found any evidence that the SolarWinds hackers abused forged SAML tokens against the company’s own corporate domains. The colossal SolarWinds hacking campaign is believed to have been carried out by the Russian foreign intelligence service, or APT29.

Microsoft disclosed Dec. 31 that an account compromised by suspected Russian hackers had been used to view source code in a number of source code repositories, but none of the code itself was altered. The compromised Microsoft account didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.

A week earlier, CrowdStrike disclosed that the hackers behind the SolarWinds attack had attempted to hack the company through a Microsoft reseller’s Azure account but were ultimately unsuccessful. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email.

Originally published at https://www.crn.com on January 12, 2021.

73 comments

  1. hey there and thank you for your info – I have definitely picked up something new from right here.
    I did however expertise a few technical issues using this web site, since I experienced to
    reload the site a lot of times previous to I could get it to load properly.
    I had been wondering if your hosting is OK?
    Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high quality score if advertising and marketing with Adwords.
    Anyway I am adding this RSS to my email and could look out
    for much more of your respective fascinating content. Make sure you update this again very soon.

  2. Appreciate the recommendation. Let me try it out.

  3. Today, I went to the beach front with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put
    the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear.
    She never wants to go back! LoL I know this is totally off
    topic but I had to tell someone!

  4. Hey there would you mind sharing which blog platform you’re using?
    I’m planning to start my own blog in the near future but I’m having a tough
    time deciding between BlogEngine/Wordpress/B2evolution and Drupal.

    The reason I ask is because your layout seems different then most blogs and I’m looking for
    something unique. P.S Apologies for
    being off-topic but I had to ask!

  5. What’s up, this weekend is nice designed for me, because this point in time i am reading this impressive educational post here at my residence.

  6. I enjoy, cause I found just what I was taking a look for.
    You have ended my 4 day long hunt! God Bless you man. Have
    a great day. Bye

  7. I am truly glad to read this webpage posts which contains lots of useful information, thanks for providing these statistics.

  8. Hi there very nice web site!! Guy .. Beautiful ..

    Amazing .. I will bookmark your blog and take the
    feeds also? I am satisfied to seek out numerous
    helpful information right here in the submit, we want work out more strategies on this regard, thank you for sharing.
    . . . . .

  9. I really love your site.. Very nice colors & theme. Did
    you create this web site yourself? Please reply back as I’m attempting to
    create my own personal blog and would love to find out where you got this from or what the theme is called.

    Many thanks!

  10. Hey there! Someone in my Myspace group shared this site with us so I came to look it over.
    I’m definitely enjoying the information. I’m book-marking and will be tweeting this to my followers!
    Wonderful blog and brilliant design and style.

  11. Teen Patti guidelines are similar to that of
    Poker. Many individuals have money problems stemming from enjoying too much Absolute poker or
    Everest poker, which is after all their own doing. After all depression is basically based on the mental state of
    an individual and never the time of 12 months, there are
    dozens of different factors which will come into play in figuring out mood than these
    pre outlined parameters. Finally the final show will reveal the winner.
    The temperature is prone to low, which as Brits, seems to adversely affect our temper, most of us will likely
    be dealing with huge bank card payments after the festive excesses Rakeback have failed, and motivation levels might be low as
    a result of all this. The components is constructed by variables like temperature and rainfall, the time elapsed since Christmas – read the time spent back at work, the very fact that the majority new
    year’s resolutions are out the window and that indisputable fact that
    many are in mountains of debt after paying out
    for xmas pressies.

  12. You can definitely see your expertise within the work you write.
    The sector hopes for even more passionate writers like you who are not afraid
    to say how they believe. At all times go after your heart.

  13. Thanks on your marvelous posting! I truly enjoyed reading it, you may be
    a great author. I will make sure to bookmark your blog
    and will eventually come back in the future. I want to encourage one to continue
    your great work, have a nice evening!

  14. Hello I am so thrilled I found your blog, I really
    found you by accident, while I was looking on Askjeeve for something else, Nonetheless I am here now and would just like to say thanks for
    a fantastic post and a all round thrilling blog
    (I also love the theme/design), I don’t have time to
    go through it all at the moment but I have saved it and also added in your RSS feeds, so when I
    have time I will be back to read much more, Please do keep
    up the awesome job.

  15. Twelfth hour. I used to be immediately reminded of the
    Lord’s word that He would come up as the God of the
    armies of Israel. The Bible teaches that God worked in such
    a manner that the writers of scripture wrote exactly what He wanted them to
    put in writing. It’s to be made to mourn over sin; flip
    to God from sin; and to cry unto God for its energy to be damaged in your heart
    and life. It seems to me that Dolgoff is shifting floor —
    he isn’t disputing many of the points I made, but is introducing crimson herrings and quibbling
    over phrases. Though THE “A” WORD does not physically comprise a male character, the male presence reverberates all through the
    play as these five lady negotiate their lives by way of male requirements and definitions of womanhood.
    Paste it into your Word doc. Because the inventor of
    the PDF file format, Adobe makes certain our Acrobat Word to PDF conversion software preserves your doc formatting.

  16. It’s going to be finish of mine day, however before
    end I am reading this impressive article to increase my knowledge.

  17. Howdy! I’m at work browsing your blog from my new iphone!

    Just wanted to say I love reading through your blog and look forward to
    all your posts! Carry on the outstanding work!

  18. This design is steller! You most certainly know how
    to keep a reader entertained. Between your wit and your videos, I was almost
    moved to start my own blog (well, almost…HaHa!) Great job.
    I really loved what you had to say, and more than that, how you presented it.
    Too cool!

  19. Good day! I simply want to offer you a big thumbs up
    for your excellent information you have got right here on this post.

    I’ll be coming back to your site for more soon.

  20. I think what you typed was very logical. However, think on this, suppose you
    added a little content? I mean, I don’t want to tell you how to run your blog, however what if you added a post title that grabbed people’s attention? I mean Hackers Compromise Mimecast Certificate For Microsoft Authentication – Teknologiia is kinda boring.

    You ought to look at Yahoo’s home page and see how they create
    news headlines to grab viewers to open the links.
    You might try adding a video or a picture or two to grab people excited about everything’ve got to say.
    Just my opinion, it would make your posts a little bit
    more interesting.

  21. My spouse and I stumbled over here different page and thought I might as well check
    things out. I like what I see so i am just following you.
    Look forward to looking over your web page again.

  22. Write more, thats all I have to say. Literally, it seems as though you relied
    on the video to make your point. You definitely know what
    youre talking about, why waste your intelligence on just posting videos to your
    blog when you could be giving us something informative to read?

  23. I’m really enjoying the design and layout of your site.
    It’s a very easy on the eyes which makes it much more pleasant for me to come here and visit more often. Did you hire out a developer to
    create your theme? Great work!

  24. Asking questions are truly pleasant thing if you are not understanding something
    completely, however this post presents pleasant
    understanding yet.
    homepage

  25. You can certainly see your expertise in the paintings you write.
    The arena hopes for more passsionate writers such as you who are noot afraid tto say how they believe.
    Always follow your heart.

  26. Hmm it appears like your website ate my first comment (it was super long) so I guess I’ll just sum it up what I had written and say, I’m
    thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything.
    Do you have any tips aand hints for newbie blog writers?
    I’d definitely appreciate it.

  27. Greetings from Ohio! I’m bored to death at work so I
    decided to browse your website on my iphone during lunch break.
    I enjoy the information you provide here and can’t wait to take
    a look when I get home. I’m amazed at how fast your blog loaded on my mobile ..

    I’m not even using WIFI, just 3G .. Anyhow, fantastic blog!

  28. Hello! Someone in my Facebook group shared this website with us so I
    came to check it out. I’m definitely enjoying the information. I’m book-marking and
    will be tweeting this to my followers! Exceptional blog and fantastic design and style.

  29. I truly love your website.. Pleasant colors & theme.
    Did you build this amazing site yourself? Please reply back as I’m attempting to create my very
    own site and want to find out where you got this from or what the theme
    is called. Thank you!

  30. Wonderful site. Plenty of helpful info here. I am
    sending it to some buddies ans also sharing in delicious. And obviously, thank you in your sweat!

  31. This web page is really a stroll-by means off for the entire
    info you wished about this and didn’t know who to ask.
    Glimpse riht here, and also you’ll definitely
    discover it.

  32. Spot on with this write-up, I truly think this web site needs a great deal
    more attention. I’ll probably be returning to see
    more, thanks for the info!

  33. I’m truly enjoying the design and layout of your site.
    It’s a very easy on the eyes which makes it much more
    pleasant for me to come here and visit more often. Did you hire out a designer to create your theme?
    Fantastic work!

  34. I visited multiple blogs but the audio feature for audio
    songs present at this web site is actually marvelous.

  35. Howdy! Do you know if they make any plugins to protect against hackers?
    I’m kinda paranoid about losing everything I’ve
    worked hard on. Any tips?

  36. We’re a gaggle of volunteers and starting a new scheme in our community.

    Your web site provided us with valuable info to wordk on. You’ve done an impressive process and
    our whole group might be thankful to you.

  37. Ver y descargar Películas y Series en Latino, Español, Subtitulado e ingles, los últimos estrenos en la mejor calidad HD sin cortes.
    Cuevana Online.

  38. Aw, this was an exceptionally good post. Taking a few minutes and actual effort to produce
    a very good article… but what can I say… I hesitate a whole lot and never manage to get nearly anything done.

  39. Heya are using WordPress for your blog platform? I’m new to the blog world but I’m trying
    to get started and create my own. Do you require any coding expertise to make your own blog?
    Any help would be greatly appreciated!

  40. Bermain slot online sekarang menjadi hal yang populer di kalangan masyarakat indonesia.

    Anda bisa bermain slot online di
    RajaCuan
    dan mendapatkan banyak kemenangan. Slot Online IDN,
    Joker123, Habanero,Pragmatic bisa anda main kan hanya di RajaCuan. Agen resmi terpercaya di indonesia.

  41. Attractive component to content. I just stumbled upon your site
    and in accession capital to claim that I acquire in fact loved
    account your blog posts. Anyway I’ll be subscribing to your augment or even I fulfillment you access consistently rapidly.

  42. Permit you intend to live fully likewise liked type of the world wide web camera abilities if you require to be able to carry out gorgeous subjective ballparks of the resemblance connected with slight designers will need showing, a few other settings pertaining to a professional photographers talent which usually do the job.
    Snapshot figure, normally not truly present shooter concentrating in order to personal identification number immediately ahead
    become and also implies that way back when on account of regularly lessons and also need
    to rate the digital camera intended for spot The genuine summary pics, the simplicity and several photograph daily.

  43. Hi, I desire to subscribe for this website to take hottest updates, so where can i do
    it please help out.

  44. Thanks for this wonderful article. One more thing to mentikn is that most digital cameras come equipped with some sort
    of zoom lens that permits more or less off any
    scene to become included simply by ‘zooming’ in and
    out. Most of these changes in focus length will be reflected in the viewfinder and on significant display screen right at the back of the particular camera.

  45. Why viewers still make use of to read news papers when in this technological globe everything is existing on net?

  46. Most of the body polisher products from this class contain small granules, for higher outcomes.
    Therefore earlier than usage, the body polisher merchandise ought to be adapted
    to the skin sensitivity of every particular person. Most commonly
    used body lotions, like fragrant body lotion and secret
    body lotion are tremendously most well-liked by the folks which desire a smooth and smooth pores
    and skin. Each bodybuilder desires to know the secret to attaining that magical
    consequence. I know it’s tempting to jump into a heat bath every evening and
    soak your stresses away, but this actually isn’t good for you.

    Utilizing a full body dryer after shower saves a good amount of water and electricity.
    Cosmetic products aren’t anyway a good suggestion. As the body polisher
    products are straightforward to be used, the remedy might be accomplished simply at
    house. With the primary treatment the outcome will be the removing of the useless cells and pores and skin hydration. All the products created to exfoliate the pores
    and skin are abrasive.

  47. Permit you need to stayed so too liked kind of your own internet cam capabilities if you need
    in order to boast beautiful subjective balls of any evaluation of good quality actor will need to show, a
    few other settings regarding a professional shooters expertise which often act.
    Photograph figure, or else not really essentially player with the dice concentrating to be able in order to fix level ahead survive also means that yesteryear on account
    of continuously learn as well as need to determine your
    own video camera for fastening The actual subjective pics, the slip and a
    lot of photograph per day.

  48. Iwas suggested tthis webeite by my cousin. I’m not sure whetyer this post
    is written by him as nobody else know such detailed about my problem.
    You are incredible! Thanks!

  49. Hello to every one, the contents existing at this
    website are in fact remarkable for people experience, well, keep up the nice work fellows.

  50. Hi, i think that i saw you visited my website so i came to
    “return the favor”.I am trying to find things to enhance
    my site!I suppose its ok to use a few of your ideas!!

    Also visit my web-site :: Plite incorporabile –
    (endivo.ro)

  51. Way cool! Some very valid points! I appreciate you penning this article and the rest of the
    site is also very good.

  52. Everything is very open with a precise explanation of the issues.
    It was really informative. Your website is
    very useful. Thanks for sharing!

  53. I do believe all of the concepts you have introduced to your post.

    They are very convincing and can certainly work. Still, the posts
    are very short for novices. May you please lengthen them a bit from subsequent time?
    Thank you for the post.

  54. Everyone loves what you guys tend to be up too.
    This type of clever work and coverage! Keep up the terrific works
    guys I’ve added you guys to my blogroll.

  55. Hey I am so excited I found your blog, I really found you
    by mistake, while I was looking on Askjeeve for something else, Nonetheless
    I am here now and would just like to say thanks for
    a fantastic post and a all round thrilling blog (I also love the theme/design),
    I don’t have time to browse it all at the minute but I have saved it and also added your RSS feeds, so when I have time I will be back to read a lot more, Please
    do keep up the fantastic job.

  56. Fine way of telling, and good post to obtain facts about my
    presentation subject matter, which i am going to convey in college.

  57. Hi i am kavin, its my first occasion to commenting anyplace, when i read this article i thought
    i could also create comment due to this sensible paragraph.

  58. You’ve made some decent points there. I checked on the net to learn more about the issue and found most individuals will go
    along with your views on this web site.

Add comment