Threat Actors using Mimecast to Evade M365 Forensics

Why DFIR teams must expand BEC investigations beyond Microsoft 365

In several recent Business Email Compromise (BEC) investigations, we have observed a subtle but important shift in attacker tradecraft: threat actors are leveraging Mimecast portals to further payment diversion fraud while avoiding traditional Microsoft 365 forensic review.

Yes, attackers are increasingly using an email security platform to evade detection in email security incidents. The irony is not lost on us.

This advisory is intended for DFIR firms, CISOs, and MSPs managing active or potential BEC matters. If Mimecast is present in your client environment, investigations should cover logs from the platform in order to reduce the risk persistence or other threat actor activity is missed.

Executive Summary

• Threat actors are signing into Mimecast portals using compromised credentials.

• Activity conducted inside Mimecast may not appear in standard Microsoft 365 forensic artefacts.

• This allows attackers to progress payment diversion fraud while evading investigations focused solely on Entra sign-ins, Unified Audit Logs, or Exchange message traces.

• Mimecast log review should now be standard in BEC scoping and containment workflows.

What We Are Seeing

Across multiple investigations, attackers followed a familiar initial pattern:

1. Compromise of a Microsoft 365 user account.

2. Credential harvesting and mailbox access.

3. Internal reconnaissance and preparation for payment diversion.

However, instead of operating exclusively within Exchange Online, attackers pivot into Mimecast’s administrative or end-user portals using the compromised user’s credentials. Sometimes never signing into M365 at all.

This is possible because:

• Mimecast authentication is frequently synchronised with Microsoft 365.

• Users often reuse passwords.

• Conditional access policies may not extend to Mimecast portals in the same way they do to Microsoft cloud services.

Once authenticated into Mimecast, attackers may:

• Reset passwords or modify recovery settings.

• Register additional devices.

• Use native Mimecast send/read functionality.

• Harvest signatures and communication patterns.

• Conduct outbound communication activity not easily visible in M365-centric investigations.

From a forensic perspective, this is significant. Many mature BEC workflows rely on:

• Entra ID sign-in logs

• Unified Audit Logs

• Exchange mailbox audit events

• Message trace analysis

If malicious email activity occurs through Mimecast’s infrastructure rather than directly through Exchange Online, it may not be immediately visible in those artefacts.

Why This Matters

Most established BEC investigation playbooks are Microsoft 365–centric — and rightly so. However, the presence of a third-party secure email gateway fundamentally changes the evidence landscape.

If Mimecast is deployed in the environment, investigators should now treat it as:

• A potential access vector

• A persistence location

• A parallel messaging surface

Failing to review Mimecast authentication logs and audit data creates a blind spot that some threat actors are now exploiting.

In practical terms, we recommend:

• Explicitly scoping Mimecast access during incident triage.

• Reviewing Mimecast authentication and audit logs alongside Entra sign-ins.

• Validating whether persistence or account modifications occurred within Mimecast.

• Assessing whether outbound communications were initiated via Mimecast tooling.

This should be standard practice for both live containment and retrospective post-incident review.

Strand Update

We are fast-tracking an urgent Mimecast integration into Strand this week to bring this activity into the same automated workflow our customers already use for Microsoft 365 compromise response.

The objective is to provide unified visibility across:

• Mimecast authentication activity

• Persistence and configuration changes

• Message activity

• M365 sign-ins

• Mailbox rules

• Enterprise applications

• SharePoint and file access

• Automated forensic reporting

The goal is simple: remove investigative blind spots and ensure attackers cannot hide in adjacent platforms.

Recommended Action

If you are currently investigating — or anticipating — a BEC case in an environment using Mimecast:

1. Add Mimecast audit log review to your standard workflow immediately.

2. Validate authentication history and configuration changes.

3. Confirm whether outbound communication activity occurred via Mimecast rather than directly via Exchange.

If you would like to discuss a live matter or review investigative approach, please contact [email protected].