SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but it did not impact business applications or account data.
The company’s Chief Commercial Officer, Derek Curtis, says that the intrusion occurred on January 29, via a single SmarterMail virtual machine (VM) set up by an employee.
“Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” Curtis explained.
“Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.”
Although SmarterTools assures that customer data wasn’t directly impacted by this breach, 12 Windows servers on the company’s office network, as well as a secondary data center used for laboratory tests, quality control, and hosting, were confirmed to have been compromised.
The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. Linux servers, which constitute the majority of the company’s infrastructure, were not compromised by this attack.
The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges.
SmarterTools reports that the attacks were conducted by the Warlock ransomware group, which has also impacted customer machines using a similar activity.
The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines.
However, in this case, Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups.
Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence, according to the company.
Cisco Talos reported in the past that the threat actors were abusing the open-source DFIR tool Velociraptor.
In October 2025, Halcyon cybersecurity company linked the Warlcok ransomware gang to a Chinese nation-state actor tracked as Storm-2603.
ReliaQuest published a report earlier today confirming that the activity is linked to Storm-2603, with moderate-to-high confidence.
“While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software’s built-in ‘Volume Mount’ feature to gain full system control,” ReliaQuest said.
“Upon entry, the group installs Velociraptor, a legitimate digital forensics tool it has used in previous campaigns, to maintain access and set the stage for ransomware.”
ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors last week, although the primary vector was CVE-2026-23760.
The researchers note that CVE-2026-24423 provides a more direct API path to achieve remote code execution, but CVE-2026-23760 can be less noisy, blending into legitimate administrative activity, which is why Storm-2603 might have opted for that one instead.
To address all recent flaws in the SmarterMail product, administrators are recommended to upgrade to Build 9511 or later as soon as possible.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
