Mimecast Logo
M365 Threat Scan Get a Quote

    Mimecast Phishing Campaign

    18 March 2025

    By Rikesh Vekaria and Mimecast Threat Research Team

    Key Points

    What you'll learn in this notification

    • Campaign impersonating Mimecast and other brands
    • Predominately targeting real estate industries in the US
    • Uses redirects through various email security rewritten links to a credential harvesting page

    "Rikesh Vekaria and the Mimecast threat researchers have recently identified a credential harvesting phishing campaign using the Mimecast brand. The threat actors use carefully designed "secure messages" to trick recipients into believing the emails are legitimate and related to secure communications.

    These campaigns leverage templates using Mimecast logos as well as other company logos to enhance their authenticity but always include the Mimecast disclaimer at the bottom of the email to further deceive the target. Real Estate companies seem to be a primary target for this campaign due to their familiarity with receiving secure messages via email. This familiarity increases the likelihood of the campaign's success, as recipients may be more inclined to trust and engage with communications that resemble legitimate secure messages.

    Mimecast-Phishing-Campaign-1.png

    We have identified the use of various tactics to deceive end users and bypass security filters, one of which involves utilizing rewritten links from email security providers to redirect users to phishing pages. Mimecast has observed this method across several campaigns researched in 2024. Read more about the techniques utilized here.

    Once users click on these links, they are redirected to a page that closely resembles the legitimate Microsoft login page.

    Mimecast-Phishing-Campaign-2.png

    This campaign was first observed in early February and runs at relatively low volumes across the week with a break on the weekends. Over the last two weeks 18 thousand detections predominately targeting the Real Estate industry have been identified.

    Mimecast-Phishing-Campaign-3.png

    Targets:

    US, Real Estate 

    IOC:

    Subject Pattern;

    _____[CompanyName] Secured Message for r*****s@[companydomain #Ref-[random characters]

    Final phishing page;

    24editor[.]com/0ffice-msoft/cloud-mail/

    Recommendations

    • Ensure you have URL Protect policy is set to protect the organization. 
    • Search through your email receipt logs to determine if any similar subjects have been delivered to your users.
    • Review your web security logs to determine if any users have accessed the final phishing page
    • Reset any affected users' passwords as a precautionary measure
    • Educate end users on the abuse of trusted services
    Back to Top