Security notice and upcoming improvements to XMission email

On Monday, July 11, XMission experienced a breach involving our hosted Zimbra email system. A highly targeted phishing email compromised the account of a recently hired staff member. The breach was identified on July 30 during a forensic review of unusual outbound activity.

Once identified, we secured the account, launched an internal investigation, and reviewed administrative access across the platform. Our review found that the compromised account had been mistakenly granted global Zimbra administrative access during onboarding. We have corrected this and tightened controls. 

There is no evidence that inbox contents or personal messages were accessed or exported. No password data was extracted by the attacker. The attacker was able to obtain a list of hosted email addresses with first and last names. We believe this is the source of the recent increase in phishing emails that impersonate XMission and some customers. In a small number of cases, the attacker set up unauthorized mail forwarding rules on individual mailboxes. Those rules have been removed. We will notify any affected customers directly.

• July 11: a phishing email from a lookalike domain was opened by a new employee.
• The account had unnecessary global administrative access, which exposed account metadata (email addresses and names).
• July 30: mail administrators detected and contained the breach during a forensic review.
• We secured the account, audited admin activity, and began a broader security review.

• Mandatory 2FA for all global administrative roles and a full review of privileged access.
• Additional monitoring, rate limiting, and scanning on authenticated email flows.
• Process changes so non-technical roles do not receive elevated permissions.

For more than a year we have been preparing a new shared email hosting platform based on iRedMail Enterprise Edition. It is modern, secure, and built on open standards. The recent incident reinforced why this move makes sense for our customers. iRedMail gives us stronger security controls, faster updates, and direct control over system changes.

We are accelerating the rollout. Migrations will begin soon and complete by Q4 2025. We will coordinate with each customer ahead of time to ensure a smooth transition and uninterrupted service.

• New webmail experience and hostnames. The current zimbra.xmission.com login will be replaced. We will send the new login details before your migration window.
• For @xmission.com mailboxes: iRedMail with Roundcube webmail (email, POP, IMAP).
• For business domains: iRedMail with SOGo webmail (email, POP, IMAP, ActiveSync, calendars, contacts, shared folders).
• Stronger phishing and spam protections, and more frequent security updates.

• Treat emails that urge immediate action with caution. Do not click links if you are unsure.
• If a message claims to be from XMission, verify by logging in directly through our website or your control panel, not through email links.
• Report suspicious messages by marking them as spam or forwarding them to spam@xmission.com.
• If you believe an account has been tampered with, change the password and contact our support team.

We understand some customers rely on Zimbra’s collaboration features. We will offer dedicated, isolated Zimbra virtual machines in our data center for those needs. These will be managed and priced based on resources. We will provide details in advance.

We take the protection of your data seriously. We regret this incident and have addressed the root causes. Our team is available 24/7 to answer questions and help secure your domain.