SmarterTools recently confirmed that their network was compromised by the Warlock ransomware gang, also known as Storm-2603, due to an unpatched SmarterMail instance being exploited.
The breach occurred on January 29, 2026, when an outdated mail server was compromised, as stated by Derek Curtis, the company’s Chief Commercial Officer.
Despite the breach, SmarterTools reassured that their website, shopping cart, My Account portal, and other services were not affected, and no business applications or account data were compromised.
Approximately 12 Windows servers in the company’s office network and a secondary data center used for quality control tests were impacted by the breach. Hosted customers using SmarterTrack were also affected.
The Warlock group, after gaining initial access, waited a few days to take control of the Active Directory server and drop additional payloads like Velociraptor and the locker to encrypt files.
It is unclear which specific SmarterMail vulnerability was exploited, but known vulnerabilities in the email software have been actively exploited in the wild.
SmarterTools addressed the vulnerabilities in build 9511, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirming that one of the vulnerabilities was being exploited in ransomware attacks.
Security company ReliaQuest identified activity linked to Warlock that abused a specific vulnerability to stage the ransomware payload on systems. The attackers leveraged the initial access to download malicious installers from legitimate platforms.
Users of SmarterMail are advised to upgrade to the latest version (Build 9526) for maximum protection and to isolate mail servers to prevent lateral movement attempts used by ransomware.
(This article has been updated to include a response from ReliaQuest.)
