Threat Overview

ReliaQuest has identified a new campaign, codenamed Storm 2603, that exploits a critical vulnerability in SmarterMail (CVE 2026 23760) to stage the Warlock ransomware on internet facing mail servers. The attack chain demonstrates a sophisticated blend of application level exploits, administrative feature abuse, and living off the land persistence that allows the threat actor to gain full system control without obvious signs of compromise.

Key Points

• Initial access is achieved by resetting an administrator password via a vulnerable API that accepts any input.
• Execution is chained through the Volume Mount feature, allowing arbitrary commands to run with the high privileges of the SmarterMail service.
• Persistence is established using the Windows Installer (msiexec) to download a malicious MSI from Supabase, which installs Velociraptor for command and control.
• Defenders are advised to upgrade to Build 9511 or later, isolate mail servers, and block outbound traffic to unknown cloud providers.

Attack Chain Breakdown

Initial Access

Attackers exploit CVE 2026 23760 by sending a password reset request to the SmarterMail API. The vulnerable build does not validate the old password, allowing any value to overwrite the administrator password. This bypasses authentication completely and provides application level control.

Execution

With app level control, the threat actor turns to the Volume Mount feature, which trusts administrator input. By injecting arbitrary shell commands, they gain the ability to run code on the underlying Windows system with the same high privileges as the SmarterMail service. This step bridges the gap from application control to system compromise.

Persistence

Once a shell is available, the attacker uses msiexec to download a malicious MSI from a Supabase endpoint. The MSI installs Velociraptor, a legitimate forensic tool commonly used by security teams. By using a trusted tool for command and control, the attacker blends into normal administrative activity and avoids many detection engines.

Command and Control

Velociraptor is configured to communicate with the attacker’s infrastructure, establishing a persistent backdoor. While no ransomware payload was deployed during the observed activity, the tradecraft matches known Warlock ransomware deployments, indicating that the attack reached the staging phase and was likely intercepted.

Overlap with CISA Warning

The campaign also shows probes for a second SmarterMail vulnerability (CVE 2026 24423). While both vulnerabilities can lead to remote code execution, the evidence suggests that CVE 2026 23760 was the primary entry point for the Storm 2603 activity. The presence of multiple vectors underscores the need for comprehensive patching and monitoring.

Recommendations for Defenders

• Upgrade all SmarterMail instances to Build 9511 or later to close the authentication bypass flaw.
• Segment mail servers into a DMZ and restrict lateral movement by isolating them from critical internal assets.
• Implement strict outbound firewall rules: allow only SMTP, IMAP, and POP3 traffic from the mail server; block all other outbound connections.
• Deploy detection rules that flag unusual msiexec activity and downloads from unexpected cloud platforms such as Supabase.
• Use threat hunting queries to identify unauthorized Volume Mount commands or password reset API calls to SmarterMail.
• Consider implementing a Web Application Firewall (WAF) that can detect and block anomalous API requests to the password reset endpoint.

ReliaQuest GreyMatter Capabilities

GreyMatter Transit monitors in real time for suspicious msiexec activity, unauthorized network connections, and abnormal system processes such as MailService.exe spawning cmd.exe. Agentic AI automatically traces the attack chain, correlates API exploitation with system execution, and responds by containing the compromised server and generating a full incident ticket within minutes.

By combining these capabilities with the recommended hardening steps, organizations can reduce the risk of a successful Warlock ransomware deployment and mitigate the impact of emerging SmarterMail vulnerabilities.