In the email industry, we often talk about “reputation” as the holy grail of deliverability. If your domain is trusted, your mail lands in the inbox. But what happens when that trust is weaponised?
Recent intelligence from Check Point and Mimecast’s own 2025 threat research has spotlighted a massive campaign that turns a security feature into a Trojan horse. Cybercriminals have successfully abused Mimecast’s secure-link rewriting feature to deliver over 40,000 phishing emails to more than 6,000 organizations in a matter of weeks.
The Tactics: Living Off Trusted Services (LOTS)
This wasn’t a “hack” in the traditional sense. There was no software flaw or zero-day exploit. Instead, it was a classic example of LOTS—Living Off Trusted Services.
Here is how the attackers played the system:
- The Smoke Screen: Attackers sent malicious URLs through Mimecast’s legitimate rewriting service.
- The Result: The links were transformed into
mimecastprotect.comURLs. - The Bypass: Because Mimecast is a global leader in email security, these domains are typically “allow-listed” by other security filters. By wrapping a malicious link in a Mimecast domain, the attacker essentially borrowed Mimecast’s high reputation to stroll past the gatekeepers.
The Lure: Hyper-Realistic Brand Impersonation
The campaign focused heavily on sectors where document exchange is the “daily bread”—specifically Real Estate, Tech, and Consulting.
The emails were meticulously crafted to mimic routine SharePoint and DocuSign notifications. With authentic logos and spoofed display names like “X via SharePoint (Online),” they exploited the “cognitive load” of busy employees. When a user sees a Mimecast-protected link in a SharePoint notification, their “spam alarm” stays silent (see also how attackers bypass secure MFA).
Geographic Impact
The scale was global, but the focus was sharp:
- United States: 34,000+ emails
- Europe: 4,500+ emails
- Canada: 750+ emails
The Expert Take: Moving Beyond Passive Security
At emailexpert, we’ve always maintained that technical protocols like SPF, DKIM, and DMARC are the foundation, not the entire house. This incident proves that even with a “picket fence” of authentication, an attacker using a trusted neighbor’s key can still get inside.
Mimecast’s response was clear: this was a misuse of a legitimate feature. It’s a sobering reminder that as our filters get smarter, attackers aren’t working harder to break them—they’re working harder to join them.
What Should You Do?
- Audit Your Rewriting Rules: If you use URL protection, ensure your logs are being monitored for anomalous redirect behavior.
- Contextual Awareness: Train your team to verify document requests directly within the app (e.g., logging into SharePoint independently) rather than clicking through an email, even if the link looks “secure.”
- Implement “Human Risk Management”: Technology can scan the link, but it can’t always scan the intent. 2025 is the year of human-centric security.
As we move into 2026, the “trust” we build in our email ecosystems must be paired with a healthy dose of “verify.”
