There is an ecs field for email.from.address which is the From field in the email header.

The mailfrom field in the smtp header is a field useful for detecting email spoofing.

Please add email.mailfrom.address to ecs. Also update the mimecast integration to extract the headerFrom field from the inbound Acc logs.