Ransomware group breached SmarterTools via flaw in its SmarterMail deployment

SmarterTools, the company behind the popular Microsoft Exchange alternative SmarterMail, has been breached by a ransomware-wielding group that leveraged a recently fixed vulnerability in that solution.

How did the SmarterTools breach happen?

Derek Curtis, the firm’s Chief Operating Officer, said that the breach happened on January 29, 2026.

“Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach,” he shared last week.

The attack ended up affecting the company’s office network and a network at a datacenter hosting labs for quality control work.

“At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory. We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old,” he added.

“Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts. None of the Linux servers were affected. None of our business applications or account data were affected or compromised.”

In the aftermath of the attack, the company eliminated Windows from their networks, stopped using Active Directory services, and have changed passwords throughout their network.

The attackers’ TTPs

Curtis did not share which vulnerability was exploited by the attackers, but CVE-2026-24423 seems like a likely candidate: the flaw was added to CISA’s Known Exploited Vulnerabilities catalog on February 5, 2026, and marked as “Exploited in ransomware attacks“.

(Two other SmarterMail vulnerabilities were added to the same catalog in late January, but those are not known to be leveraged in ransomware attacks.)

What he did share is that the group behind the “hit” is the Warlock group (aka Gold Salem, aka Storm-2603), which has been targeting a wide variety of organizations, mostly in North America, Europe, and South America.

The group uses the Warlock ransomware and double extortion tactics.

“Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later,” Curtis explained.

“They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.”

Curtis shared other tactics, techniques, and procedures (TTPs) used by the group: common file names and folders, and common programs leveraged (e.g., Velociraptor, SimpleHelp, WinRAR, etc.)

“It is also important to note that CVEs are being discovered across many different products. Some groups install legitimate-looking applications on servers and later exploit. For example, the Warlock Group frequently targets CVE’s in SharePoint and Veeam and has now targeted SmarterMail. Recent Notepad++ update vulnerabilities are another example of how trusted applications can be leveraged to further exploit systems, servers, and desktops,” he added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!