Executive Summary

On January 29, 2026, the Warlock ransomware group, also known as Gold Salem and Storm-2603, successfully breached the network of SmarterTools by exploiting unpatched authentication bypass vulnerabilities in SmarterMail (CVE-2026-23760 and CVE-2026-24423). The attackers gained initial access through a single, unpatched SmarterMail virtual machine, moved laterally within the Windows-centric infrastructure using Active Directory, and attempted to deploy ransomware. The ransomware payload was detected and blocked by SentinelOne security products, preventing data encryption and allowing recovery from backups. No customer data or business applications were directly impacted, and the company’s main website, shopping cart, and account portal remained uncompromised due to effective network segmentation. The incident has led to increased urgency for patching SmarterMail installations across the sector and has been widely reported in technical and security news outlets. All information in this summary is based on primary, date-verified sources, including official disclosures from SmarterTools and independent technical analyses. [https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx], [https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/], [https://risky.biz/risky-bulletin-smartertools-hacked-via-its-own-product/]

Technical Information

The breach of SmarterTools by the Warlock group was enabled by critical authentication bypass vulnerabilities in SmarterMail (CVE-2026-23760 and CVE-2026-24423). These vulnerabilities allowed attackers to reset administrator passwords and gain full privileges on the affected system. The initial access point was a single, unpatched SmarterMail virtual machine that had been set up by an employee and was not maintained with security updates. This system was directly accessible from the internet, making it a high-value target for exploitation.

Once inside the network, the attackers established persistence by creating new user accounts, adding suspicious startup items, and scheduling tasks to maintain access. They leveraged Active Directory to move laterally within the Windows infrastructure, targeting 12 Windows servers on the office network and a secondary data center used for laboratory tests, quality control, and hosting. Notably, no Linux servers were compromised during the attack, highlighting the attackers’ focus on Windows environments.

The Warlock group utilized several tools and techniques during the intrusion. They deployed Velociraptor, an open-source digital forensics and incident response (DFIR) tool, for reconnaissance and potentially anti-forensics activities. SimpleHelp, a remote support tool, was used for remote access, and a vulnerable version of WinRAR was employed for data staging or exfiltration. The attackers also created new user accounts and scheduled tasks to ensure persistence across reboots and user sessions.

Approximately six to seven days after gaining initial access, the attackers attempted to deploy a ransomware payload. However, SentinelOne security products detected and blocked the ransomware, preventing any data encryption. The company was able to recover affected systems from backups, and no customer data or business applications were directly impacted. The company’s website, shopping cart, and account portal remained online and uncompromised due to effective network segmentation.

The Warlock group, also tracked as Gold Salem by Sophos and Storm-2603 by Microsoft, is known for targeting enterprise software vendors and hosting providers. Their tactics, techniques, and procedures (TTPs) blend state-sponsored espionage methods with cybercrime, often focusing on exploiting unpatched, public-facing applications and using advanced lateral movement and persistence techniques. In this incident, their activities were mapped to several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1136 (Create Account), T1053 (Scheduled Task/Job), T1547 (Boot or Logon Autostart Execution), T1021 (Remote Services), T1087 (Account Discovery), T1219 (Remote Access Software), T1569 (System Services), T1070 (Indicator Removal on Host), T1560 (Archive Collected Data), and T1486 (Data Encrypted for Impact).

The incident has significant implications for the sector, demonstrating the critical risk to email infrastructure providers and the importance of timely patch management. The vulnerabilities exploited in this attack were patched by SmarterTools in Build 9518 (January 15, 2026) and further improved in Build 9526 (January 22, 2026), but the unpatched system remained vulnerable. The breach and subsequent technical disclosures have led to increased urgency for patching SmarterMail installations, with the vulnerabilities being added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

All technical claims in this section are supported by primary, date-verified sources, including the official SmarterTools disclosure, technical news reports, and independent analyses. [https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx], [https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/], [https://risky.biz/risky-bulletin-smartertools-hacked-via-its-own-product/]

Affected Versions & Timeline

The vulnerabilities exploited in this incident affected SmarterMail versions prior to Build 9518. SmarterTools released Build 9518 on January 15, 2026, which patched the critical authentication bypass vulnerabilities (CVE-2026-23760 and CVE-2026-24423). Build 9526, released on January 22, 2026, included further improvements and security fixes. The breach occurred on January 29, 2026, when the Warlock group exploited an unpatched SmarterMail virtual machine that had not been updated to the latest secure build.

The incident timeline is as follows: On January 15, 2026, SmarterTools released Build 9518 with patches for the critical vulnerabilities. On January 22, 2026, Build 9526 was released with additional security enhancements. On January 29, 2026, the Warlock group breached the network via the unpatched SmarterMail VM. The breach was publicly disclosed by SmarterTools on February 3, 2026, and multiple security news outlets confirmed the incident and its technical details on February 9, 2026. [https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx], [https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/], [https://risky.biz/risky-bulletin-smartertools-hacked-via-its-own-product/]

Threat Activity

The Warlock group’s attack on SmarterTools followed a multi-stage process, beginning with the exploitation of authentication bypass vulnerabilities in an unpatched SmarterMail VM. After gaining initial access, the attackers established persistence by creating new user accounts, adding suspicious startup items, and scheduling tasks. They moved laterally within the Windows infrastructure using Active Directory, targeting 12 Windows servers and a secondary data center used for laboratory tests, quality control, and hosting. No Linux servers were compromised, indicating a focus on Windows environments.

The attackers utilized several tools during the intrusion, including Velociraptor for reconnaissance and potential anti-forensics, SimpleHelp for remote access, and a vulnerable version of WinRAR for data staging or exfiltration. Approximately six to seven days after initial access, the attackers attempted to deploy a ransomware payload. The ransomware was detected and blocked by SentinelOne security products, preventing data encryption and allowing recovery from backups.

The Warlock group is known for targeting enterprise software vendors and hosting providers, often exploiting unpatched, public-facing applications and using advanced lateral movement and persistence techniques. Their activities in this incident were consistent with their known tactics, techniques, and procedures, as documented by multiple independent sources. [https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx], [https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/], [https://risky.biz/risky-bulletin-smartertools-hacked-via-its-own-product/]

Mitigation & Workarounds

The following mitigation steps are prioritized by severity:

Critical: All organizations using SmarterMail must immediately update to Build 9518 or later, as these versions patch the authentication bypass vulnerabilities (CVE-2026-23760 and CVE-2026-24423). Unpatched systems remain at critical risk of exploitation. [https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx]

High: Conduct a comprehensive audit of all SmarterMail installations to identify and remediate any unpatched or unauthorized instances. Ensure that all public-facing systems are included in vulnerability management processes.

High: Review and strengthen network segmentation to limit lateral movement opportunities for attackers. Ensure that critical business applications and customer data are isolated from laboratory, test, and hosting environments.

High: Implement and regularly test endpoint detection and response (EDR) solutions, such as SentinelOne, to detect and block ransomware and other malicious payloads.

Medium: Review and restrict the use of remote access tools such as SimpleHelp and ensure that only authorized, up-to-date versions are deployed. Monitor for unauthorized use of DFIR tools like Velociraptor and vulnerable software such as WinRAR.

Medium: Regularly review user accounts, scheduled tasks, and startup items for signs of unauthorized changes or persistence mechanisms.

Low: Provide ongoing security awareness training to employees, emphasizing the importance of patch management and the risks associated with unpatched systems.

All mitigation recommendations are based on the technical findings and sector best practices as documented in primary sources. [https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx], [https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/], [https://risky.biz/risky-bulletin-smartertools-hacked-via-its-own-product/]

References

BleepingComputer, "Hackers breach SmarterTools network using flaw in its own software," Feb 9, 2026: https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/

SmarterTools Community, "Summary of SmarterTools Breach and SmarterMail CVEs," Feb 3, 2026: https://portal.smartertools.com/community/a97747/summary-of-smartertools-breach-and-smartermail-cves.aspx

Risky.biz, "Risky Bulletin: SmarterTools hacked via its own product," Feb 9, 2026: https://risky.biz/risky-bulletin-smartertools-hacked-via-its-own-product/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their digital supply chain. Our platform enables continuous visibility into vendor security posture, supports automated risk assessments, and facilitates rapid response to emerging threats. For questions about this report or to discuss your organization’s risk management needs, contact us at ops@rescana.com.