Summary (Bottom Line Up Front)
Threat actor operating from Middlesex University network (158.94.211.49) conducted sustained SMTP reconnaissance against multiple targets from March 9-14, 2026, generating 4,593 malicious events. Assessment: MEDIUM threat level with potential for escalation to credential harvesting or phishing infrastructure deployment. Immediate blocking and enhanced SMTP monitoring recommended.
Activity Timeline
INITIAL REPORT2026-03-14T17:34:40Z
Source: batch_hunting
Threat actor operating from Middlesex University network (158.94.211.49) conducted sustained SMTP reconnaissance against multiple targets from March 9-14, 2026, generating 4,593 malicious events. Assessment: MEDIUM threat level with potential for escalation to credential harvesting or phishing infrastructure deployment. Immediate blocking and enhanced SMTP monitoring recommended.
Technical details
Primary attack vector involved systematic SMTP EHLO probing across target infrastructure, indicating reconnaissance phase of potential email-based attack campaign. Actor demonstrated persistence with 305 distinct SMTP enumeration attempts over 5-day period, suggesting automated tooling. Source system exhibits multiple exposed services (RDP/3389, WinRM/5985, SMB/445, RPC/135) consistent with compromised Windows endpoint. MITRE ATT&CK mappings include T1018 (Remote System Discovery) and T1590.001 (Gather Victim Network Information). IOC: 158.94.211.49 (AS202412, AbuseIPDB score 100/100).
IOCs
IP:158.94.211.49
ASN:202412
COUNTRY:NL
Recommendations
- Block 158.94.211.49 at perimeter firewalls and email security gateways immediately
- Implement enhanced logging and alerting for SMTP EHLO commands from external sources
- Review email server configurations to minimize information disclosure during SMTP handshakes
- Monitor for follow-on phishing or credential harvesting attempts targeting discovered email infrastructure
- Coordinate with abuse contacts at AS202412 (Middlesex University) for potential compromise notification