SmarterTools has confirmed that a breach in its internal network was traced back to an unpatched Windows-based SmarterMail server, exposing several systems to hackers.
The company attributes the intrusion to the Warlock ransomware group, a known threat actor with a history of targeting Microsoft-based infrastructure, and warns customers to remain vigilant even after patching.
According to Derek Curtis, Chief Communications Officer at SmarterTools, the attack occurred on January 29 and originated from a forgotten virtual machine running an outdated instance of SmarterMail. Although SmarterTools had deployed the mail server across about 30 systems, one had escaped regular patch management, a gap that ultimately allowed the attackers in.
SmarterTools claims its prompt segmentation of internal networks prevented the compromise from spreading to customer-facing services such as its website, shopping platform, and user account portal. However, Windows systems at its office and a secondary data center, used for quality control and hosting a SmarterTrack portal, were affected. The company reports that approximately a dozen Windows servers showed signs of compromise, while none of its Linux systems were impacted. Virus scanning software from SentinelOne is credited with preventing further damage, such as ransomware deployment.
Founded in 2003, SmarterTools Inc. develops communication and customer service software, with SmarterMail being its flagship mail server platform. The software is used by hosting companies, ISPs, and enterprises worldwide, making any vulnerability or exploit in its ecosystem a concern for thousands of deployments. While SmarterTools has transitioned to being a primarily Linux-based organization, many of its customers still operate in Windows environments, which appear to be the primary target of this campaign.
Following the incident, SmarterTools restructured its internal network by eliminating Windows systems where feasible and abandoning Active Directory. The company is now enforcing complete password resets across its infrastructure and tightening endpoint monitoring.
The company disclosed that the Warlock threat group was behind the intrusion, noting similar tactics observed in compromised customer environments. The attackers typically establish persistence after initial access, delaying malicious actions for nearly a week, long enough to bypass reactive patching. Once a foothold is gained, they attempt to take over Active Directory servers, create new user accounts, distribute payloads across Windows machines, and execute encryption attempts.
Curtis also highlighted that attackers are exploiting CVEs across multiple enterprise tools, not just SmarterMail, mentioning SharePoint and Veeam.
SmarterTools released SmarterMail Build 9518 on January 15, 2026, which contains patches for the CVEs exploited in the attack. This was followed by Build 9526 on January 22, which introduced additional security enhancements and bug fixes discovered during internal audits. The company urges all customers to update immediately and to review their antivirus configurations to ensure compatibility with SmarterMail, a step necessary to prevent false positives and avoid corrupting mail server files.
While SmarterTools reports no ongoing vulnerabilities in the latest SmarterMail builds, it is continuing code audits and working with external security researchers to identify weaknesses preemptively.
Leave a Reply