Attackers are actively abusing a SmarterMail account takeover flaw to gain admin access and pivot into remote code execution using System Events.

The intrusion chain uses automated API calls for password reset, token-based login, event-hook creation, and domain actions to trigger command execution and cleanup.