Summary (Bottom Line Up Front)
Threat actor operating from IP 141.98.9.68 (Lithuania, AS209588) conducted SMTP user enumeration attacks against organizational email infrastructure over a 16-hour period from March 15-16, 2026. Assessment indicates LOW severity reconnaissance activity consistent with email harvesting for potential spam or phishing operations. Network defenders should implement SMTP hardening measures and monitor for follow-on attacks.
Activity Timeline
UPDATE 12026-03-22T08:26:58Z
Source: Analyst Manual Entry
Threat actor operating from IP 141.98.9.68 (Lithuania, AS209588) conducted SMTP user enumeration attacks against organizational email infrastructure over a 16-hour period from March 15-16, 2026. Assessment indicates LOW severity reconnaissance activity consistent with email harvesting for potential spam or phishing operations. Network defenders should implement SMTP hardening measures and monitor for follow-on attacks.
New findings
Attack Vector: SMTP user enumeration via RCPT TO commands targeting port 25
Volume: 53 events across 16-hour timeframe (March 15 16:00 - March 16 08:00)
Protocols: TCP, SMTP
MITRE Technique: T1589.002 (Gather Victim Identity Information: Email Addresses)
Kill Chain Phase: Reconnaissance
Source Infrastructure: VDS & Cloud services (AS209588), AbuseIPDB score 100/100
Attack Patterns: SMTP RCPT TO enumeration (6 hits), SMTP EHLO probing (1 hit)
IOCs: 141.98.9.68, Windows Server 2012 R2 fingerprint, port 445 open
Recommendations
- Block source IP 141.98.9.68 at perimeter firewalls and email security gateways
- Implement SMTP rate limiting and disable VRFY/EXPN commands on mail servers
- Monitor for suspicious SMTP enumeration patterns and implement behavioral detection rules
- Review email server logs for additional reconnaissance attempts from AS209588 netblock
- Consider implementing SMTP banner hardening to reduce information disclosure during reconnaissance
INITIAL REPORT2026-03-17T06:41:33Z
Source: Analyst Manual Entry
Threat actor operating from Lithuanian hosting provider UAB Host Baltic (141.98.9.68) conducted sustained SMTP enumeration attacks over 16 hours targeting email infrastructure. Assessment: MEDIUM threat level with potential for follow-on attacks including spam campaigns or credential harvesting. Immediate action required to block source IP and review SMTP security configurations.
Technical details
- Source: 141.98.9.68 (AS209605 UAB Host Baltic, Lithuania) with maximum AbuseIPDB reputation score (100/100)
- Campaign Duration: 2026-03-15 16:00 to 2026-03-16 08:00 (16-hour window)
- Attack Volume: 53 events targeting single destination port via TCP/SMTP protocols
- Primary Techniques: SMTP RCPT TO enumeration (12 instances), EHLO probing (1 instance)
- MITRE ATT&CK Mapping: T1589.002 (Gather Victim Network Information: DNS), T1018 (Remote System Discovery)
- IOC: 141.98.9.68 (confirmed malicious, block recommended)
IOCs
IP:141.98.9.68
ASN:209605
COUNTRY:LT
Recommendations
- Block source IP 141.98.9.68 at perimeter firewalls and email security gateways immediately
- Review SMTP server configurations to disable unnecessary VRFY and EXPN commands that facilitate enumeration
- Implement rate limiting on SMTP connections to prevent automated enumeration attempts
- Monitor for suspicious RCPT TO patterns and consider deploying [REDACTED] email addresses to detect enumeration
- Audit email user accounts for any unauthorized access attempts or suspicious authentication activity during the attack window