Conosco joins Mimecast's Security Researcher Wall of Fame

Conosco has been added to Mimecast's Security Researcher Wall of Fame, recognising responsible disclosure efforts led by Martin Hodgson, Consultant at Conosco. The accolade reflects disciplined security work carried out within a broader programme to strengthen email authentication across suppliers and partners. Conosco thanks Mimecast for its open, collaborative approach to coordinated disclosure and for publicly acknowledging the contribution.

"Martin's work reflects the standard Conosco holds itself to. The team expects the same accountability from vendors that clients expect from Conosco. Responsible disclosure is part of safeguarding the ecosystem clients rely on, every day."

Max Mlinaric

CEO

"Credit to Mimecast for encouraging coordinated disclosure and for addressing issues quickly. The fastest way to reduce risk is open collaboration across the supply chain, supported by tight email authentication."

Martin Hodgson

Consultant

Why this matters: Security is a team sport.

Email is still the primary entry point for fraud and compromise. Criminals blend technical weaknesses with social engineering to move money, harvest credentials, and pivot into core systems. The UK National Cyber Security Centre highlights business email compromise as a significant risk and offers practical measures to reduce the likelihood and impact of an incident.

The threat is not abstract. Recent attacks against UK retailers used help desk impersonation to persuade staff to reset credentials, a tactic that bypasses many traditional controls. This is precisely where disciplined email authentication and strong process guardrails help reduce the blast radius.

Supply chain risk, in plain sight

Many brands now rely on a multitude of cloud platforms, marketing tools, finance systems, and ticketing services that send emails on their behalf.

Each sender must be authenticated correctly. Any drift creates blind spots.

Common failure modes include:

• Unauthenticated third-party senders that slip through change control.
• Domains that never send email but remain impersonable if not locked down.
• Expired or weak email transport protections that allow downgrade or interception.
• Vendor misconfigurations that undo hard-won progress.

Mailbox providers are also raising the bar. Gmail and Yahoo have introduced explicit requirements for senders, including authentication and DMARC for bulk mail. Poorly authenticated emails may face throttling, be placed in the spam folder, or be rejected.

Responsible disclosure is part of resilience.

Coordinated disclosure is not performative. It is a practical way to shorten the window between discovering a weakness and closing it across the ecosystem. Mimecast's policy sets clear expectations for scope, collaboration, and timelines, and the Security Researcher Wall of Fame recognises researchers who follow that process. Conosco appreciates the partnership and the professionalism shown in turning findings into fixes.

How Conosco's Email Domain Security works

Conosco's Email Domain Security, delivered through its Brand Protection service, focuses on outcomes. It brings domains under governance, authenticates every legitimate sender, and blocks impersonation at scale. The approach combines standards with continuous monitoring and expert stewardship.

SPF, DKIM, and DMARC

Sender Policy Framework lists who is allowed to send for the domain. DomainKeys Identified Mail provides a cryptographic signature that proves the message has not been altered. Domain-based Message Authentication, Reporting and Conformance ties it together, instructing receivers how to handle unauthenticated email and providing reports that show who is using the brand.

BIMI

Brand Indicators for Message Identification displays the verified brand mark in supported inboxes once DMARC is enforced. It rewards the hard work of authentication with better recognition and trust.

MTA STS and TLS reporting

Mail Transfer Agent Strict Transport Security tells senders to use encrypted transport and what to expect when connecting to the domain. SMTP TLS Reporting provides feedback when that transport fails. Together, they reduce downgrade and interception risk in transit, which matters for sensitive workflows.

Continuous monitoring and adjustment

Email ecosystems change constantly. New marketing platforms appear. Legacy apps are retired. Vendors rotate IPs. Conosco monitors authentication and transport signals, tunes the policy, and keeps legitimate traffic flowing. It is a managed path to enforcement without breaking delivery.

Secure Your Email Domains: The Checklist Every Business Needs

Free checklist

Secure Your Email Domains: The Checklist Every Business Needs

Email security isn’t optional—it’s essential. Without robust protections in place, your business risks exposure to impersonation attacks, phishing schemes, and unauthorised access. That’s where our Email Domain Security Checklist comes in.

Download

What leaders gain

Fewer successful impersonation attempts

Strong authentication stops most spoofing before it reaches the inbox. Attackers must then fall back on more expensive methods, which are easier to detect and contain. The NCSC's guidance is clear that layered controls and robust processes reduce the likelihood of payment diversion and account takeover.

Better deliverability and reputation

An authenticated email performs better. Gmail and Yahoo have set clear expectations for authentication and complaint rates. Meeting those standards protects reputation and improves placement.

Clarity on third-party senders

DMARC reporting reveals who is sending on behalf of the domain. This creates a reliable inventory of legitimate services, highlights shadow senders, and provides evidence to hold vendors accountable.

Transport assurance for sensitive flows

MTA STS gives confidence that inbound transport is encrypted and aligned to the right servers. TLS reporting informs the team when a problem occurs. This combination strengthens assurance for legal, finance, and healthcare communications.

A measured stance on social engineering

Technology alone does not neutralise social engineering. Policies and training must reinforce double checks, out-of-band confirmations, and clear rules for password resets and payment changes. The NCSC continues to recommend these human controls alongside technical measures, and recent UK incidents underscore the point. Conosco's EDS programme aligns both layers, making the brand hard to impersonate, and staff know how to respond when pressure arrives.

Credits where they are due

Conosco thanks Mimecast and the security community for the professional handling of responsible disclosure. Recognition on the Wall of Fame belongs to Martin Hodgson and the wider Email Domain Security team. For details on Mimecast's policy and the Security Researcher Wall of Fame, see the official page.

Take the next step

Bring domains under control. Stop impersonation. Improve deliverability. Book an Email Domain Security demo to see how Conosco's Brand Protection service quickly closes gaps and keeps them closed.

References

• Mimecast Responsible Disclosure and Security Researcher Wall of Fame. (Mimecast)
• NCSC guidance on business email compromise and phishing. (NCSC)
• Gmail and Yahoo sender requirements for authentication and DMARC. (Google Help, senders.yahooinc.com)
• RFC 8461 and RFC 8460 for MTA STS and SMTP TLS Reporting. (IETF Datatracker)
• Conosco Brand Protection, including SPF, DKIM, DMARC, BIMI, and monitoring. (conosco.com)