146.70.146.50

Summary (Bottom Line Up Front)

Threat actor operating from Vienna-based hosting infrastructure (146.70.146.50) conducted targeted SMTP reconnaissance against organizational mail servers on March 3, 2026 at approximately 12:00 UTC. Activity demonstrates systematic enumeration techniques consistent with pre-attack reconnaissance for potential phishing campaigns or mail server exploitation. Immediate blocking and enhanced SMTP monitoring recommended.

TCP smtp

SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-03-10T15:13:35Z

Source: Analyst Manual Entry

Technical details

Source: 146.70.146.50 (AS9009 M247 LTD Vienna, Austria) with maximum AbuseIPDB reputation score (100/100)
Attack Vector: SMTP protocol reconnaissance using EHLO, MAIL FROM, and RCPT TO commands
Volume: 20 events over 2-second timeframe indicating automated tooling
Infrastructure: Extensive open port profile (22, 80, 443, 500, 1701, 1723, 3128, 4443, 6443, 8000) suggesting compromised host or bulletproof hosting
MITRE ATT&CK: T1590.001 (Gather Victim Network Information: Domain Properties), T1589.002 (Gather Victim Identity Information: Email Addresses)
IOCs: IP 146.70.146.50, ASN AS9009

IOCs

IP:146.70.146.50

ASN:9009

COUNTRY:AT

Recommendations

Block source IP 146.70.146.50 and monitor for additional M247 LTD Vienna ASN (AS9009) reconnaissance activity
Implement rate limiting on SMTP EHLO/VRFY commands and log all enumeration attempts for threat hunting
Review mail server logs from March 3, 2026 12:00 UTC timeframe for successful recipient enumeration or credential harvesting
Enable enhanced logging for SMTP transactions and establish baseline monitoring for unusual reconnaissance patterns
Coordinate with email security teams to increase phishing detection sensitivity given potential follow-on campaign indicators