How a 'mimecast miss' led to a wide-scale email compromise

5 min read.

News Article
1 November 2020

In a recent blog from Darktrace’s Dan Fein – a Director at the world’s leading provider of cyber security AI – they report of a recent email attack that was not detected to be malicious by email security solution, Mimecast, but which was later identified to be a wide-scale email compromise, highlighting the challenges that businesses face as they adopt new ways of working.

As we know, Mimecast is widely used across the legal sector, however as these well-researched and convincing impersonation attacks rise, so do the number of successful account takeovers which are becoming increasingly sophisticated and difficult to prevent.

This report of a logistics firm who had Mimecast operating in its Microsoft 365 environment demonstrates how traditional email tools – which create rules for what ‘bad’ emails look like based on past campaigns – are missing these novel and sophisticated hoax emails in the current threat landscape.

The firm in question was trialling Darktrace’s Antigena Email in passive mode, meaning it wasn’t configured to actively interfere, but simply observe the email dashboard allowing them to see what actions the said technology would have taken – and the consequences of relying purely on gateways to stop advanced threats.

In this instance, through compromising just one employee’s email account, the attacker accessed several sensitive files, gathering details of employees and credit card transactions, and then began communicating with others in the organisation, sending out over two hundred further emails to take hold of more employee accounts. This activity was picked up in real time by Darktrace’s Microsoft 365 SaaS module.


The company was under sustained attack from a cyber-criminal who had already performed account hijacks on a number of their trusted partners. Abusing their trusted relationships, the attacker sent out several tailored emails from these partners’ accounts to the Logistics company. All used the same convention in the subject – RFP for [compromised company’s name] – and all appeared to be credential harvesting.

Figure 1: A sample of the malicious emails from the hijacked accounts; the red icon indicating that Antigena Email would have held these emails back

Each of these emails contained a malicious payload, which was a file storage (SharePoint) link, hidden behind the below text. It’s likely the attacker did this to bypass mail link analysis. Mimecast did rewrite the link for analysis, but it failed to identify it as malicious.

Figure 2: Darktrace surfaces the text behind which the link was hidden

When clicked on, the link took the victim to a fake Microsoft login page for credential harvesting. This was an accurate replica of a genuine login page and sent email and password combinations directly to the attacker for further account compromise.

Figure 3: The fake Microsoft login page

A number of employees read the email, including the CEO; however only one person – a general manager – appeared to get their email account hijacked by the attacker.


About three hours after opening the malicious email, an anomalous SaaS login was detected on the account by Darktrace’s Antigena Email from an IP address not seen across the business before.

Open source analysis of the IP address showed that it was a high fraud risk ISP, which runs anonymising VPNs and servers – this may have been how the attacker overcame geofencing rules. Shortly afterwards, Darktrace detected an anonymous sharing link being created for a password file.

Figure 4: Darktrace’s SaaS Module revealing the anomalous creation of a link

Darktrace revealed that this file was subsequently accessed by the anomalous IP address. Deeper analysis showed that the attacker repeated this methodology, making previously protected resources publicly available, before immediately accessing them publicly via the same IP address. Darktrace AI observed the attacker accessing potentially sensitive information, including a file that appeared to hold information about credit card transactions, as well as a document containing passwords.

The following day, after the attacker had exhausted all sensitive information they could elicit from the compromised email account, they then used that account to send out further malicious emails to trusted business associates using the same methodology as before – sending fake and targeted RFPs in an attempt to compromise credentials. Darktrace’s SaaS module identified this anomalous behavior, graphically revealing that the attacker sent out over 1,600 tailored emails over the course of 25 minutes.

Figure 5: A graphical representation of the burst of emails sent over a 25 minute period


For the logistics company in question, this incident served as a wake-up call. The Managed Security Service Provider (MSSP) running their cloud security was completely unaware of the account takeover, which was detected by Darktrace’s SaaS Module. The organisation realised that today’s email security challenge requires best in class technologies that can not only prevent phishing emails from reaching the inbox, but detect account takeovers and malicious outbound emails sent – should they get through and compromise an account.

This incident caused the organisation to deploy Antigena Email in active mode, allowing the technology to stop the most subtle and targeted threats that attempt to enter through the inbox based on its nuanced and contextual understanding of the normal ‘pattern of life’ for every user and device.

The reality is, hundreds of emails like this trick not only humans, but traditional security tools every day. It’s clear that when it comes to the growing email security challenge, the status quo is no longer good enough. With the modern workforce more dispersed and agile than ever, there is a growing need to protect remote users across SaaS collaboration platforms, whilst neutralising email attacks before they reach the inbox.

Thanks to Darktrace analyst Liam Dermody for his insights on the above threat find.