45.144.212.199

Summary (Bottom Line Up Front)

A medium-severity threat actor operating from Netherlands infrastructure (45.144.212.199) conducted sustained SMTP reconnaissance activities against mail servers between February 28-March 2, 2026. The attacker performed systematic mail server probing using suspicious sender addresses potentially linked to underground marketplaces, indicating preparation for spam campaigns or further mail infrastructure targeting. Network defenders should implement enhanced SMTP monitoring and consider blocking this IP address.

TCP smtp

SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-03-23T07:14:51Z

Source: Analyst Manual Entry

Technical details

Attack Vector: SMTP reconnaissance probing via TCP connections

Source: 45.144.212.199 (AS214940 Kprohost, Netherlands) - AbuseIPDB score 100/100

Timeline: February 28, 2026 11:00 - March 2, 2026 19:00 (19 total events)

MITRE Technique: T1018 (Remote System Discovery)

Kill Chain Phase: Reconnaissance

Attack Patterns: SMTP EHLO commands, MAIL FROM probes, RCPT TO enumeration

Infrastructure: Windows Server 2022 system with exposed RDP (3389), SMB (445), and WinRM (5985) services

IOCs: IP 45.144.212.199, suspicious sender addresses associated with potential underground marketplace domains

IOCs

IP:45.144.212.199

ASN:214940

COUNTRY:NL

Recommendations

Block IP address 45.144.212.199 at perimeter firewalls and mail security gateways
Enhance SMTP logging and monitoring for reconnaissance patterns including EHLO, MAIL FROM, and RCPT TO command sequences
Implement rate limiting on SMTP connections to prevent systematic enumeration attempts
Review and harden mail server configurations to minimize information disclosure during SMTP interactions
Monitor for follow-on spam campaigns or phishing attempts that may leverage reconnaissance data gathered during this activity