Anatomy of a Breach

Anatomy of a Breach: Mimecast — The SolarWinds Shockwave Reaches Email Security

> series: anatomy_of_a_breach —— part: 145 —— target: mimecast —— linked_to: solarwinds_sunburst —— affected: 10%_of_customers<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2021 12 min read
mimecast solarwinds certificate-compromise supply-chain email-security microsoft-365 series
Breach #145

SolarWinds was not the end. It was the beginning of a cascade.

In January 2021, Mimecast disclosed that a sophisticated threat actor had compromised a certificate used to authenticate several of its products — Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) — to Microsoft 365 environments. Approximately 10% of Mimecast's customer base used the compromised connection. The attack was linked to the same SolarWinds/Sunburst threat actor (Russia's SVR), demonstrating that the SolarWinds compromise was generating a cascade of follow-on attacks against the security ecosystem.

The compromise of a Mimecast authentication certificate was particularly concerning because Mimecast sits in the email path for its customers — inspecting, filtering, and processing email traffic. A compromised certificate could potentially allow the attacker to intercept email traffic between Mimecast and Microsoft 365 for affected customers. Mimecast asked all customers using the compromised certificate to delete and re-establish their connections. The incident joined RSA, Cloudflare, Imperva, and NordVPN in the growing list of security vendors compromised through supply chain attacks.

The SolarWinds Cascade
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

One supply chain attack. An expanding web of compromises.

Supply Chain Attacks Cascade
SolarWinds did not end with SolarWinds — the compromised access was used to attack further targets in the security ecosystem. Mimecast, Microsoft, FireEye, and others were all affected. For UK organisations, the lesson is that a single supply chain compromise can trigger cascading breaches across your entire vendor ecosystem. <a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain security.
Certificate Compromise
The stolen certificate authenticated Mimecast's products to Microsoft 365 — meaning the attacker could potentially impersonate legitimate Mimecast services. Certificate management — including rotation, monitoring, and revocation — is a critical security control. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses certificate management practices.
Email Security Vendor in the Email Path
Mimecast processes email for its customers — sitting between senders and recipients. Compromising Mimecast's authentication to Microsoft 365 could enable email interception at scale. When selecting email security vendors, their own security posture must be evaluated. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides email security monitoring independent of any single vendor.
Seventh Security Vendor Breached
Mimecast became the seventh security vendor breach documented in this series — joining RSA, LastPass, Hacking Team, Cloudflare, Imperva, and NordVPN. The pattern is now overwhelming: security vendors are high-value targets, and their compromise creates cascading supply chain risk. Our <a href="/penetration-testing">penetration testing</a> verifies security independently of vendor claims.
Lessons

SolarWinds keeps expanding. Verify your vendor connections.

The Mimecast compromise demonstrated that major supply chain attacks generate secondary and tertiary effects that persist for months. For UK organisations, the action is clear: audit all vendor connections, rotate certificates and credentials, verify that vendor integrations are using current authentication mechanisms, and monitor for anomalous activity across vendor connections. Cyber Essentials mandates secure vendor management. Our infrastructure testing includes vendor integration assessment. SOC in a Box monitors vendor connections 24/7. And UK Cyber Defence provides the forensic capability to determine whether your organisation was affected by supply chain cascades.

Supply Chain Cascade

SolarWinds reached Mimecast. Which of your vendors' vendors has been compromised?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses vendor integrations. <a href="/cyber-essentials">Cyber Essentials</a> mandates supply chain security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors vendor connections.

Commission a Supply Chain Assessment Next: Oldsmar Water Treatment
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2020

Anatomy of a Breach: 2020 Year in Review — SolarWinds, COVID-19, and the Year the Supply Chain Broke

Breach #144 and the 2020 finale. The year COVID-19 transformed the global attack surface overnight, SolarWinds rewrote the supply chain threat model, ransomware claimed its first life at Düsseldorf, Twitter proved social engineering trumps technology, Hackney Council was devastated for two years, Garmin paid $10 million, and the pandemic-fuelled explosion of remote working created new vulnerabilities faster than they could be secured. Then, on 13 December, the SolarWinds/Sunburst supply chain attack was discovered — compromising 18,000 organisations including US government agencies — the most sophisticated supply chain attack in history.

data-breach year-in-review
16 min read
Anatomy of a Breach 31 October 2025

Anatomy of a Breach: The Salesforce Ecosystem Breach — 200+ Companies Hit Through a Third-Party Integration

Breach #202. In October-November 2025, a breach of the Salesloft Drift chatbot integration within the Salesforce ecosystem exposed data from over 200 companies — including major corporations across automotive, aviation, security, and fintech sectors. The attackers exploited a vulnerability in the third-party integration to access CRM data including customer records, sales pipelines, support tickets, and internal communications stored in Salesforce instances. The breach has been described as the 'SolarWinds moment for SaaS' — demonstrating that third-party integrations within SaaS platforms create supply chain risk at a scale the industry had not previously confronted.

salesforce salesloft
14 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
All Posts Get in Touch