Summary (Bottom Line Up Front)
External threat actor conducted sustained SMTP reconnaissance against organizational infrastructure from IP 45.144.212.237 (Netherlands/Kprohost ASN214940) between March 6-22, 2026, generating 13,097 probe attempts. Assessment indicates LOW severity automated scanning activity designed to enumerate SMTP server capabilities and confirm service availability. Recommend implementing enhanced SMTP monitoring and rate limiting controls.
Activity Timeline
UPDATE 12026-03-23T06:29:14Z
Source: Analyst Manual Entry
External threat actor conducted sustained SMTP reconnaissance against organizational infrastructure from IP 45.144.212.237 (Netherlands/Kprohost ASN214940) between March 6-22, 2026, generating 13,097 probe attempts. Assessment indicates LOW severity automated scanning activity designed to enumerate SMTP server capabilities and confirm service availability. Recommend implementing enhanced SMTP monitoring and rate limiting controls.
New findings
- Source Infrastructure: 45.144.212.237 (Maastricht, NL) via Kprohost (AS214940), AbuseIPDB score 100/100
- Attack Vector: SMTP reconnaissance probes using EHLO commands with generic identifiers
- Volume/Timeline: 13,097 events over 16-day period (March 6 07:00 - March 22 23:00, 2026)
- MITRE Mapping: T1018 (Remote System Discovery) - Reconnaissance phase
- Protocol Analysis: TCP-based SMTP probes targeting single destination port
- Threat Classification: Automated scanning infrastructure, likely precursor to email-based attack campaign
- IOCs: 45.144.212.237, SMTP EHLO probes with "User" identifier pattern
Recommendations
- Implement rate limiting on SMTP services to restrict connection attempts from single source IPs
- Deploy enhanced logging for SMTP EHLO/HELO commands to detect reconnaissance patterns
- Block traffic from 45.144.212.237 and monitor for additional IPs from AS214940 network range
- Review and harden SMTP banner information to minimize service enumeration opportunities
- Establish baseline monitoring for unusual SMTP connection volumes and geographic anomalies
INITIAL REPORT2026-03-14T17:33:50Z
Source: batch_hunting
Threat actor operating from 45.144.212.237 (Netherlands/Kprohost) conducted sustained SMTP reconnaissance against organizational mail infrastructure between March 6-14, 2026, generating over 6,000 malicious events. Assessment indicates MEDIUM threat level focused on email system enumeration and potential credential harvesting preparation. Immediate hardening of SMTP services and enhanced monitoring of email infrastructure is recommended.
Technical details
- Source: 45.144.212.237 (AS214940 Kprohost, Netherlands) with maximum AbuseIPDB reputation score (100/100)
- Campaign Duration: March 6, 2026 07:00 - March 14, 2026 17:00 (8-day sustained activity)
- Attack Volume: 6,132 total events, primarily SMTP_PROBE attacks (122 confirmed EHLO reconnaissance attempts)
- Infrastructure Profile: Windows Server 2012 R2 with exposed services on ports 22 (SSH), 135 (RPC), and 445 (SMB)
- TTPs: SMTP enumeration via EHLO commands targeting single destination port, consistent with T1590.001 (Gather Victim Network Information)
- IOCs: 45.144.212.237, SMTP reconnaissance patterns, sustained 8-day campaign timeline
IOCs
IP:45.144.212.237
ASN:214940
COUNTRY:NL
Recommendations
- Implement rate limiting and connection throttling on SMTP services to prevent reconnaissance enumeration
- Deploy enhanced logging and alerting for SMTP EHLO/HELO commands from external sources, particularly focusing on repeated connection attempts
- Block traffic from 45.144.212.237 and monitor for pivot attempts from related Kprohost (AS214940) infrastructure
- Review and harden email server configurations to minimize information disclosure during SMTP handshakes
- Conduct proactive threat hunting for similar SMTP reconnaissance patterns across email infrastructure and correlate with authentication logs for potential follow-on attacks