Hackers Distribute Thousands of Phishing Attacks Through Mimecast's Secure-Link Feature

The rise of URL‑rewriting services has given email security platforms a powerful way to protect users, but the same trust can be weaponized. In the recent campaign uncovered by Check Point, threat actors submitted malicious destinations to Mimecast’s secure‑link feature, which then rewrote the URLs to appear under Mimecast’s domain. Because the link resolves through a recognized provider, many gateway filters treat the message as safe, allowing phishing payloads to land directly in inboxes. This technique sidesteps traditional reputation‑based blocks and highlights a blind spot in automated defenses.

The operation was remarkably large, with more than 40,000 phishing emails sent to over 6,000 organizations in just two weeks. Consulting firms, technology providers, and real‑estate companies were hit hardest, reflecting the high value of contract and invoice workflows in those sectors. Geographic analysis shows roughly 34,000 victims in the United States, 4,500 across Europe, and 750 in Canada, underscoring the global reach of a single abuse vector. For security teams, the episode demonstrates that even well‑known vendors can become inadvertent conduits for malicious traffic.

Mitigating this abuse requires a layered approach. Organizations should enforce strict URL‑verification policies, such as sandboxing links before click‑through and flagging any redirects that pass through third‑party services. Mimecast and similar providers can enhance their analytics to detect anomalous rewrite patterns, while offering customers visibility into the original destination. Meanwhile, user education remains critical: employees must be trained to scrutinize unexpected notifications, even when they appear to originate from trusted domains. As attackers continue to co‑opt legitimate infrastructure, continuous monitoring and adaptive controls become essential to preserve email security integrity.