Back

NetSPI’s Patrick Sayler Earns Spot on Mimecast’s Security Researcher Wall of Fame for Email Defense Evasion

Patrick successfully bypassed Mimecast URL and file inspection features and worked with the email security company to remediate the issues.

Minneapolis, MN NetSPI, the leader in enterprise penetration testing and attack surface management, today announced that Principal Security Consultant Patrick Sayler was recognized on Mimecast’s Security Researcher Wall of Fame for bypassing email defenses within Mimecast Targeted Threat Protection (TTP). 

Patrick was able to bypass the URL and file inspection features which could have allowed an adversary to serve a malicious file or URL after Mimecast had already deemed it secure. A full breakdown of the process and remediation steps taken can be found on the NetSPI technical blog.

Patrick uncovered the vulnerability during a hybrid breach and attack simulation and social engineering penetration testing engagement for one of its clients. He worked closely with the Mimecast Responsible Disclosure Team to remediate the core issues identified within the TTP platform:  

  • The file content was not served by Mimecast (Mimecast has committed to implementing a fix
  • File inspection followed a predictable pattern (This issue has been addressed
  • Results were stored by filename and shared (Addressed via risk-based caching on a continuous basis

“This is a great reminder of the vital importance of defense in depth,” said Patrick. “When a frontline technical control fails, do you have back up, layered defenses and policies in place to slow down adversaries and prevent incident escalation? Social engineering and breach and attack simulation assessments can help organizations answer this question with confidence.” 

To learn more about NetSPI’s responsible disclosures and vulnerability research, visit https://www.netspi.com/pentesting-team/

About NetSPI  

NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI, a KKR and Ten Eleven Ventures portfolio company, is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn. 

Media Contacts: 
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277  

Jessica Bettencourt, Inkhouse for NetSPI
netspi@inkhouse.com
(774) 451-5142