Mimecast® for Microsoft 365™ hacked
A few days ago, Microsoft® informed that a Mimecast® for Microsoft 365™ certificate has been hacked and is being used against Mimecast’s customers.
This certificate allows full administrative access to the Microsoft 365™ Exchange Web Services of some Mimecast’s customers, estimated to be around 10% of their global install base, who had configured the integration between Mimecast® and Microsoft 365™.
Since this announcement was made, we have been asked by our channel partners and customers if the integration between Libraesva’s products and Microsoft 365™ can be abused in the same way.
The short answer is no. The long answer is no, because…
1) We do not use a single certificate to authenticate against our customer’s Microsoft 365 tenants.
Libraesva products (Email Security Gateway and Email Archiver) authenticate to Microsoft 365™ using credentials that are unique for each tenant.
A single certificate that acts as a passe-partout key for full access to many customer’s tenants is a bad design choice from a security standpoint. This is, of course, our opinion.
2) We instruct our customers to provide to Libraesva with the minimum set of permissions we require.
Libraesva asks for the minimum set of permissions required to provide the services we provide. We do not advise our customers to provide complete access to their own tenants. We ask them to only provide the permissions that they need, based on how they use our products.
3) We have a de-centralized architecture.
Libraesva’s products are designed for full isolation between customers. Each customer ‘lives’ in a separate virtual appliance, with a unique IP address. We do not store access credentials in any central repository.
As Libraesva is a security company, we know that security is difficult and that anybody can fail. Our architectural and software design choices are based on strict security principles, among which is avoiding any single point of failure.