185.93.89.64

Summary (Bottom Line Up Front)

Threat actor operating from 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against mail infrastructure over 28 days, generating 7,725 events targeting port 25. Activity assessed as LOW threat level reconnaissance likely aimed at identifying vulnerable mail servers for future exploitation. Network defenders should monitor SMTP infrastructure for similar probing patterns and implement rate limiting on mail services. ##

SMTP TCP TCP/SYN smtp

Activity Timeline

UPDATE 52026-04-06T11:05:05Z

Source: Analyst Manual Entry

New findings

Source: 185.93.89.64 (Maastricht, NL) via Limited Network LTD (AS213790)

Timeline: March 9, 2026 22:00 - April 6, 2026 12:00 (28-day campaign)

Volume: 7,725 total events exclusively targeting TCP port 25

Primary Techniques: SMTP EHLO/HELO probing, authentication enumeration, IoT command injection attempts

MITRE Mapping: T1589 (Gather Victim Identity Information)

Attack Distribution: IoT attacks (1,071 hits), SMTP probes (707 hits), credential capture attempts (422 hits)

Payload Indicators: Generic HELO/EHLO commands with "User" identifier, QUIT commands via JSON payloads

Threat Assessment: Automated scanning tool conducting service enumeration with 100/100 AbuseIPDB reputation score

Recommendations

Implement rate limiting on SMTP services (port 25) to prevent reconnaissance scanning and resource exhaustion
Monitor mail server logs for repeated EHLO/HELO commands from single sources exceeding normal thresholds
Block traffic from AS213790 (Limited Network LTD) if no legitimate business requirements exist
Deploy fail2ban or similar intrusion prevention systems configured for SMTP abuse patterns
Review mail server configurations to ensure minimal information disclosure during SMTP banner exchanges

UPDATE 42026-03-29T09:49:09Z

Source: Analyst Manual Entry

Sustained SMTP credential harvesting activity observed from IP 185.93.89.64 targeting email authentication services over a 20-day period from March 9-29, 2026. Medium-severity threat assessment based on 10,000+ automated authentication attempts using brute-force techniques against SMTP infrastructure. Organizations should immediately review SMTP authentication logs and implement enhanced monitoring for similar attack patterns.

New findings

Attack Vector: SMTP-based credential harvesting campaign utilizing AUTH LOGIN method and reconnaissance probes

Volume: 10,207 events over 20-day period (March 9 22:00 - March 29 11:00, 2026)

Primary Protocols: SMTP (port 25/TCP)

MITRE ATT&CK Mapping: T1110.001 (Brute Force: Password Guessing)

Kill Chain Phase: Exploitation

Key Attack Patterns:

SMTP_PROBE reconnaissance (449 events) - EHLO/HELO enumeration
CREDENTIAL_CAPTURE attempts (128 events) - Authentication brute-forcing
AI-detected anomalous behavior (4 events)

Sample Payloads: Generic HELO/EHLO commands ("HELO User", "EHLO User")

IOC: 185.93.89.64 (no reverse DNS, unknown ASN/geolocation)

Recommendations

Implement rate limiting and account lockout policies for SMTP authentication attempts
Deploy enhanced logging and monitoring for SMTP AUTH LOGIN/PLAIN authentication failures
Block or restrict access from IP 185.93.89.64 at network perimeter devices
Review SMTP server configurations to disable unnecessary authentication methods
Conduct audit of email account credentials for potential compromise during the March 9-29 timeframe

UPDATE 32026-03-23T07:12:12Z

Source: Analyst Manual Entry

IP address 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against multiple targets over a 14-day period, generating 6,822 events through service discovery probes. This activity represents low-risk reconnaissance (T1046) consistent with threat actor preparation for potential follow-on email-based attacks. Network defenders should implement enhanced SMTP monitoring and consider blocking this IP if no legitimate business relationship exists.

New findings

The threat actor operated from 185.93.89.64 (Maastricht, NL) via Limited Network LTD infrastructure between March 9th 22:00 and March 23rd 06:00, 2026. Primary attack vectors included SMTP EHLO/HELO commands targeting TCP port 25 to enumerate server capabilities and confirm service availability. Activity volume peaked at 397 SMTP_PROBE events with additional AI-detected generic probe attempts. MITRE technique T1046 (Network Service Scanning) maps to the Reconnaissance phase of the cyber kill chain. The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity from this infrastructure.

Recommendations

Block IP 185.93.89.64 at perimeter firewalls unless legitimate business communications are confirmed
Implement enhanced logging and alerting for SMTP EHLO/HELO reconnaissance patterns on email infrastructure
Review SMTP server configurations to minimize information disclosure during service enumeration attempts
Monitor for follow-on email-based attacks including spam, phishing, or credential harvesting from AS213790 network blocks
Consider implementing rate limiting on SMTP connections to reduce reconnaissance effectiveness

UPDATE 22026-03-22T08:12:33Z

Source: Analyst Manual Entry

IP address 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against multiple targets from March 9-22, 2026, generating over 6,200 events using standard EHLO probes to identify mail services and capabilities. This activity represents initial reconnaissance phase behavior with HIGH assessed threat level due to rapid escalation in attack volume and introduction of AI-detected attack patterns. Immediate monitoring and defensive posturing of SMTP infrastructure is recommended.

New findings

Source infrastructure shows maximum AbuseIPDB reputation score (100/100) with no reverse DNS resolution, indicating likely compromised or malicious hosting. Attack campaign utilized TCP protocols targeting SMTP services exclusively, employing MITRE technique T1046 (Network Service Scanning) through systematic EHLO command probes. Primary attack patterns include 372 instances of standard SMTP_PROBE/smtp_ehlo reconnaissance, supplemented by 4 AI-detected generic HELO probes and 4 traditional HELO attempts. Campaign timeline spans 13 days with significant activity escalation, focusing on single destination port suggesting targeted mail server enumeration rather than broad port scanning.

Recommendations

Implement enhanced logging and monitoring for SMTP EHLO/HELO commands from external sources, particularly focusing on generic or automated probe patterns
Block traffic from 185.93.89.64 and consider blocking the entire AS213790 netblock pending further threat assessment
Review and harden SMTP banner information disclosure to minimize reconnaissance value for potential attackers
Deploy rate limiting on SMTP connections to prevent automated scanning and reduce reconnaissance effectiveness
Correlate internal mail server logs against the March 9-22 timeframe to identify any successful connections or follow-on activity from this source

UPDATE 12026-03-21T12:41:14Z

Source: Analyst Manual Entry

Threat actor 185.93.89.64 conducted sustained SMTP reconnaissance against multiple targets from March 9-21, 2026, generating 5,914 probe attempts to identify mail server capabilities. Assessment: LOW threat level with reconnaissance-phase activity indicating potential precursor to email-based attacks. Recommend implementing enhanced SMTP monitoring and access controls.

New findings

Source: 185.93.89.64 (AS213790 Limited Network LTD, Netherlands)
Campaign Duration: 12 days (March 9 22:00 - March 21 12:00, 2026)
Attack Volume: 5,914 events targeting SMTP services exclusively
Primary Technique: SMTP EHLO command probing (345 documented instances)
MITRE Mapping: T1046 (Network Service Scanning)
Kill Chain Phase: Reconnaissance
Protocols: TCP, SMTP on standard ports
Threat Confidence: 85% automated scanning behavior
AbuseIPDB Score: 100/100 (maximum abuse rating)

Recommendations

Implement rate limiting on SMTP connections to prevent reconnaissance scanning
Deploy enhanced logging for SMTP EHLO commands and unusual connection patterns
Consider geo-blocking or additional scrutiny for connections from AS213790 network range
Review and harden SMTP banner information to minimize service fingerprinting opportunities
Establish baseline monitoring for reconnaissance-phase activities targeting email infrastructure

INITIAL REPORT2026-03-14T17:37:09Z

Source: batch_hunting

Threat actor operating from IP 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against multiple targets from March 9-14, 2026, generating 2,439 malicious events. This represents a MEDIUM threat level focused on email infrastructure enumeration. Organizations should immediately review SMTP server logs and implement enhanced monitoring for similar reconnaissance patterns.

Technical details

Source: 185.93.89.64 (Maastricht, NL) / AS213790 Limited Network LTD
Campaign Duration: March 9, 2026 22:00 - March 14, 2026 17:00 (5-day window)
Attack Volume: 2,439 total events, 162 SMTP EHLO probes
Primary Technique: SMTP service enumeration via EHLO commands (MITRE T1046 - Network Service Scanning)
Protocols: TCP-based SMTP reconnaissance targeting port 25
Threat Indicators: 100/100 AbuseIPDB reputation score, no legitimate reverse DNS
IOCs: 185.93.89.64 (confirmed malicious infrastructure)

IOCs

IP:185.93.89.64

ASN:213790

COUNTRY:NL

Recommendations

Block IP 185.93.89.64 and monitor AS213790 (Limited Network LTD) for additional malicious activity
Review SMTP server logs from March 9-14, 2026 for unauthorized EHLO enumeration attempts
Implement rate limiting on SMTP EHLO commands to prevent reconnaissance abuse
Deploy enhanced monitoring for TCP port 25 scanning patterns and repeated EHLO requests
Consider restricting SMTP banner information disclosure to reduce attack surface enumeration

medium AI_DETECTED TCP:25

HELO User

medium IOT_ATTACK SMTP:25

{"phase": "command", "command": "QUIT", "dst_port": 25}

medium SMTP_PROBE TCP:25

EHLO User