158.94.210.190

Summary (Bottom Line Up Front)

Threat actors operating from Middlesex University infrastructure (158.94.210.190) conducted sustained SMTP reconnaissance activities between March 9-13, 2026, generating 2,944 malicious events with a 100/100 AbuseIPDB reputation score. Assessment indicates MEDIUM threat level reconnaissance activity potentially preparing for email-based attacks or lateral movement. Immediate blocking and enhanced SMTP monitoring recommended.

TCP smtp

SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-03-14T17:44:56Z

Source: batch_hunting

Technical details

The attacking host exhibited characteristics consistent with a compromised Windows Server 2012 R2 system running extensive network services (RDP, SMB, WinRM). Primary attack vector focused on SMTP enumeration via EHLO commands (159 instances) targeting single destination infrastructure. Attack pattern suggests MITRE T1018 (Remote System Discovery) and T1083 (File and Directory Discovery) techniques during reconnaissance phase. The 4-day campaign duration and consistent targeting indicate methodical intelligence gathering rather than opportunistic scanning. Key IOC: 158.94.210.190 (AS202412 Middlesex University, Netherlands).

IOCs

IP:158.94.210.190

ASN:202412

COUNTRY:NL

Recommendations

Block 158.94.210.190 at perimeter firewalls and add to organizational threat feeds immediately
Implement enhanced logging and monitoring for SMTP EHLO commands and unusual email server enumeration attempts
Review and harden SMTP server configurations to limit information disclosure during reconnaissance probes
Coordinate with abuse contacts at AS202412/Middlesex University to report compromised infrastructure
Deploy additional email security controls and consider rate-limiting SMTP connections from academic networks