178.16.54.15

Summary (Bottom Line Up Front)

A Windows Server 2012 R2 system at 178.16.54.15 (Netherlands/dus.net GmbH) conducted sustained SMTP reconnaissance activities over 72 hours targeting organizational mail infrastructure. The threat level is assessed as MEDIUM due to focused reconnaissance behavior with potential for escalation to exploitation phases. Network defenders should immediately review SMTP security posture and implement enhanced monitoring for this actor.

TCP TCP/SYN smtp

SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-03-14T17:35:55Z

Source: batch_hunting

Technical details

The attacker conducted 1,061 events between March 11-14, 2026, primarily utilizing SMTP_PROBE techniques with 78 documented EHLO command reconnaissance attempts. The source system presents an unusual profile with multiple Windows services exposed (RPC, NetBIOS, SMB, WinRM) on ports 135, 137, 139, 445, and 5985, suggesting either a compromised server or poorly configured infrastructure. Attack patterns align with MITRE ATT&CK T1590.001 (Gather Victim Network Information: Domain Properties) and T1018 (Remote System Discovery). The 100/100 AbuseIPDB reputation score indicates established malicious activity. Primary IOC: 178.16.54.15 targeting SMTP services exclusively.

IOCs

IP:178.16.54.15

ASN:40999

COUNTRY:NL

Recommendations

Block 178.16.54.15 at perimeter firewalls and add to organizational threat intelligence feeds for ongoing monitoring
Audit SMTP server configurations to ensure EHLO responses do not leak sensitive system information or internal network topology
Implement rate limiting on SMTP connections and enable detailed logging for EHLO/HELO commands to detect similar reconnaissance patterns
Review mail server access logs for the March 11-14 timeframe to identify any successful authentication attempts or data exfiltration
Consider deploying SMTP [REDACTED]s or deception technology to detect and track similar reconnaissance campaigns targeting mail infrastructure