Warlock Ransomware Hits SmarterTools by Exploiting Flaw in its Own Email Server Software
SmarterTools Breached by Warlock Ransomware via Unpatched SmarterMail Vulnerability (CVE-2026-23760)
Impact Scope
Affected Companies
Industries Affected
Related Entities
CVE Identifiers
Full Report
Executive Summary
Software vendor SmarterTools has been compromised by the Warlock ransomware group (also tracked as Storm-2603) in an attack that exploited a vulnerability in the company's own product. The attackers gained initial access by exploiting CVE-2026-23760, a critical authentication bypass vulnerability in the SmarterMail email server. After breaching the network, the threat actors deployed their ransomware payload and took steps to establish persistence by installing a malicious version of the legitimate Velociraptor digital forensics tool. This incident serves as a potent and ironic lesson in the importance of rapid patching, as the company fell victim to a known and patchable flaw in its own software.
Vulnerability Details
- Product: SmarterTools SmarterMail
- CVE ID: CVE-2026-23760
- Vulnerability Type: Authentication Bypass
- Impact: The vulnerability allows a remote, unauthenticated attacker to bypass authentication checks and gain access to the system, providing a direct path for initial compromise.
Threat Overview
The attack, first detected on January 29, 2026, was carried out by the Warlock ransomware gang. Their attack chain was efficient and effective:
- Initial Access - Exploit Public-Facing Application (
T1190): The group exploitedCVE-2026-23760on an unpatched, internet-facing SmarterMail server to gain their initial foothold within the SmarterTools network. - Execution and Persistence: The attackers deployed a malicious Supabase MSI installer. This installer was used to deploy the Velociraptor DFIR tool. While Velociraptor is a legitimate tool used by defenders, attackers are increasingly co-opting it for their own purposes, such as reconnaissance, data collection, and maintaining persistence. This is a classic example of Masquerading (
T1036) and use of Remote Access Software (T1219). - Privilege Escalation: Post-compromise, the attackers were observed attempting to reset administrator passwords, indicating efforts to escalate privileges and deepen their control over the network.
- Impact - Data Encrypted for Impact (
T1486): The ultimate goal was achieved by deploying the Warlock ransomware to encrypt files and disrupt operations.
Impact Assessment
For SmarterTools, this is a particularly damaging incident. Not only does the company suffer the typical costs and disruption of a ransomware attack, but the fact that they were breached by a vulnerability in their own product creates a significant reputational crisis. It calls into question their internal security practices and may cause their customers to lose faith in the security of the SmarterMail product itself. Customers will be urgently questioning whether they too are at risk and if the vendor is following its own security advice.
Cyber Observables for Detection
| Type | Value | Description |
|---|---|---|
| file_name | Supabase.msi |
The malicious installer used to deploy the Velociraptor tool. |
| process_name | velociraptor.exe |
The execution of the Velociraptor binary in an unexpected context is a strong indicator of compromise. |
| url_pattern | SmarterMail web interface URL | Monitor for exploit attempts against CVE-2026-23760. |
Detection Methods
- Vulnerability Scanning: Organizations using SmarterMail should have already scanned their environments for
CVE-2026-23760and patched. Any remaining vulnerable instances should be considered at high risk of compromise. - Endpoint Monitoring: Monitor for the execution of
velociraptor.exeor any suspicious MSI installations, especially on mail servers. EDR tools should be configured to alert on legitimate administrative or DFIR tools being used in an unauthorized manner. This is a key part of D3FEND Process Analysis (D3-PA). - Log Analysis: Review SmarterMail logs for signs of the authentication bypass exploit being used, followed by suspicious account activity or password resets.
Remediation Steps
- Patch Immediately: Any organization still running a vulnerable version of SmarterMail must patch
CVE-2026-23760immediately. This is the most critical step. This is a direct application of D3FEND Software Update (D3-SU). - Assume Breach: If you were running a vulnerable version, you must assume breach and hunt for signs of compromise, such as the presence of Velociraptor or other unexpected tools.
- Harden Email Servers: Email servers are high-value targets. They should be placed in a secure network segment, have all unnecessary ports and services disabled, and be monitored closely with EDR and network security tools.
- Review Third-Party Tools: Security teams need to be aware that attackers are 'living off the land' not just with OS tools, but with legitimate third-party security and admin tools like Velociraptor. Detections should be built to identify the context of a tool's use, not just the tool itself.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The most fundamental mitigation: promptly apply security patches for all software, especially internet-facing applications.
Behavior Prevention on Endpoint
Use EDR to detect when legitimate tools like Velociraptor are used in a malicious context.
Operating System Configuration
Use application control or whitelisting to prevent unauthorized software (like a rogue Velociraptor install) from running on critical servers.
D3FEND Defensive Countermeasures
This incident is a textbook case for the importance of timely Software Updates. SmarterTools was breached by a known, patchable vulnerability in its own product. The primary and most effective countermeasure is a robust and rapid patch management program. For a critical, internet-facing application like the SmarterMail server, 'rapid' should mean hours or days, not weeks. Organizations must have a complete asset inventory to know they are running SmarterMail, subscribe to vendor security bulletins, and have a process to quickly test and deploy critical security patches. In this case, simply applying the patch for CVE-2026-23760 when it was released would have completely prevented this breach.
To prevent the attackers from establishing persistence with a malicious tool, SmarterTools could have used Executable Allowlisting on their mail server. A mail server has a very predictable set of processes that need to run. An allowlisting policy would define this set of legitimate executables and block everything else by default. When the attacker attempted to run their malicious 'Supabase.msi' or the resulting 'velociraptor.exe', the operating system would have blocked the execution because it was not on the approved list. This would have stopped the attack after the initial access, preventing the deployment of ransomware and significantly limiting the damage.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats