The company said on Tuesday that internal investigations had showed that the incident was perpetrated by the same threat actor who had been behind the compromise of the Orion network management software sold by SolarWinds.
When Mimecast initially announced the incident on 13 January, it said it had been informed by Microsoft that a certificate it issued for authentication of Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services had been compromised.
At the time, Mimecast said about 10% of its customers used such connections but did not provide a number. According to Reuters, Mimecast has more than 36,000 customers.
|
"The vast majority of these customers have taken this action, and Microsoft has now disabled use of the former connection keys for all affected Mimecast customers."
Mimecast said it had now confirmed that the incident was related to the SolarWinds Orion software compromise.
"Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the US and the UK," the company said.
"These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journalling, and SMTP-authenticated delivery routes."
Customers had been advised to reset their credentials, Mimecast added.
The SolarWinds incident came to light after cyber security firm FireEye disclosed on 9 December AEDT that it had been compromised and had its Red Team tools stolen.
Five days later, FireEye published details about attacks using malware which it called SUNBURST; it said this malware had been used to hit both private and public entities, by corrupting the Orion network management software, a product of SolarWinds.