Full Report
As promised, we wanted to provide additional information regarding the network breach we experienced last Thursday (January 29, 2026), along with summaries of our releases and what we have observed both on our servers and when working with SmarterMail customers who have been compromised. Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach. As you can imagine, we have been working extensively with customers whose systems were vulnerable to attack. We were compromised by a group known as the Warlock Group, and we have observed similar activity on customer machines. Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.
Analysis Summary
# Incident Report: SmarterTools Network Breach via Unpatched SmarterMail
## Executive Summary
A network breach occurred on January 29, 2026, attributed to the threat actor group known as the Warlock Group. The initial compromise exploited an unpatched, previously unknown Virtual Machine running an older version of SmarterMail, leading to subsequent malicious activity across affected network segments. Response actions included immediate network shutdown, significant architectural changes (eliminating Windows/Active Directory), and subsequent customer remediation efforts.
## Incident Details
- Discovery Date: Last Thursday (Implied shortly before the report date of February 3, 2026)
- Incident Date: Thursday, January 29, 2026
- Affected Organization: SmarterTools Inc.
- Sector: Technology/Software Vendor (Supporting mail services)
- Geography: Not explicitly stated, implied internal corporate networks/data centers.
## Timeline of Events
### Initial Access
- Date/Time: Prior to January 29, 2026 (The breach occurred "last Thursday," January 29th, but the compromise pathway was an *unupdated* VM).
- Vector: Exploitation of an unpatched vulnerability in SmarterMail software.
- Details: An employee-set-up VM running SmarterMail was not being updated, creating the initial entry point.
### Lateral Movement
- Date/Time: Approximately 6–7 days following initial access.
- Vector: Post-exploitation techniques targeting Windows environments.
- Details: After gaining access, attackers installed files and waited 6–7 days before escalating activity. They frequently attempted to gain control of the Active Directory server to create new users and distribute files across Windows machines.
### Data Exfiltration/Impact
- Date/Time: Post-wait period (6-7 days post-initial access).
- Impact: Compromise of the main office network and a data center housing QC labs, the Portal, and a Hosted SmarterTrack network connected via Active Directory. Potential for data encryption attempts (though SentinelOne blocked most encryption efforts).
### Detection & Response
- Date/Time: January 29, 2026 (Upon noticing the breach).
- Vector: Internal observation and security monitoring by SentinelOne.
- Details: Affected servers were instantly shut down, and all internet access was disabled pending full evaluation. The organization worked extensively with compromised SmarterMail customers.
## Attack Methodology
- Initial Access: Unpatched SmarterMail server (employee-deployed VM).
- Persistence: Installation of files, including tools like Velociraptor, JWRapper, Remote Access, and SimpleHelp. Observation of suspicious startup items and newly created scheduled tasks.
- Privilege Escalation: Attempted take-over of the Active Directory server to create new users.
- Defense Evasion: Installation of files and a deliberate 6-7 day delay before escalating malicious activity. Good detection performance from SentinelOne blocked encryption attempts.
- Credential Access: Implied techniques used in AD takeover attempts (not detailed).
- Discovery: Reconnaissance within the network to target Windows machines.
- Lateral Movement: Distribution of executable files across Windows machines using common directories (e.g., Public, AppData, ProgramData).
- Collection: Not detailed, inferred targeting of data relevant to Warlock Group activities.
- Exfiltration: Not detailed.
- Impact: Potential encryption attempts; operational disruption of office and data center networks.
## Impact Assessment
- Financial: Not explicitly stated, but significant effort and downtime occurred to remediate.
- Data Breach: None explicitly announced regarding the primary systems (website, shopping cart, account data remained unaffected). Compromise was focused on internal office/lab environment servers (approx. 12 Windows VMs affected out of 30 SmarterMail servers).
- Operational: Office/QC lab networks shut down; immediate internet disconnection; required extensive restoration from backups (6 hours old) in some instances.
- Reputational: Public disclosure via community post to address the incident and assist customers.
## Indicators of Compromise
- Network Indicators: *None provided/defanged.*
- File Indicators: Velociraptor, JWRapper, Remote Access, SimpleHelp, WinRAR (older versions), Run.exe, Run.dll, main.exe, Short random filenames (e.g., e0f8rM_0.ps1), Random .aspx files.
- Behavioral Indicators: Unusual local users or administrators created, suspicious startup items, newly created or modified scheduled tasks. Targeting CVEs in trusted applications (SmarterMail, SharePoint, Veeam).
## Response Actions
- Containment: Instant shutdown of all affected servers and disabling of all internet connectivity.
- Eradication: Elimination or restoration of compromised servers. Replacement of all network passwords.
- Recovery: Restoring systems from clean backups (up to 6 hours old).
- Architectural Change: Elimination of Windows servers where possible; removal of Active Directory services from the environment.
## Lessons Learned
- Unmanaged shadow IT (employee-set-up, unupdated VMs) creates critical security blind spots.
- Delay mechanisms (6-7 day wait) can cause confusion regarding timeline vs. patching efforts.
- Security scanning tools (specifically SentinelOne) performed effectively in blocking payload execution/encryption.
- The Warlock Group actively exploits trusted application CVEs (SmarterMail, SharePoint, Veeam).
## Recommendations
- Implement strict asset discovery and lifecycle management to ensure all deployed servers (especially VMs) are inventoried and patched.
- Review and strengthen network segmentation policies to limit the impact of compromise on core business services.
- Continue migration away from Windows/Active Directory infrastructure, as Linux servers remained unaffected.
- Mandate immediate password replacement across the network following any suspected major breach.