Summary (Bottom Line Up Front)
IP address 45.91.64.7 conducted sustained multi-protocol reconnaissance against network infrastructure from February 21 to April 11, 2026, generating 89 security events across 14 unique ports. The campaign primarily focused on SMTP probing with secondary targeting of RDP and SSH services, assessed as MEDIUM threat level with 85% confidence. Organizations should immediately audit exposed services and implement enhanced monitoring for these protocols.
Activity Timeline
UPDATE 12026-04-11T17:46:37Z
Source: Analyst Manual Entry
IP address 45.91.64.7 conducted sustained multi-protocol reconnaissance against network infrastructure from February 21 to April 11, 2026, generating 89 security events across 14 unique ports. The campaign primarily focused on SMTP probing with secondary targeting of RDP and SSH services, assessed as MEDIUM threat level with 85% confidence. Organizations should immediately audit exposed services and implement enhanced monitoring for these protocols.
New findings
- Attack Vector: Multi-protocol network reconnaissance spanning 50+ days
- Primary Targets: SMTP (port 25), RDP, SSH, FTP (port 21), and database services
- Volume: 89 events across 14 destination ports targeting FTP, HTTP, MySQL, RDP, SMTP, SSH, and TLS protocols
- MITRE Technique: T1595.001 (Active Scanning: Scanning IP Blocks)
- Kill Chain Phase: Reconnaissance
- Key Patterns: SMTP EHLO commands ("EHLO agorum"), RDP x224 requests, SSH banner exchanges, FTP AUTH TLS attempts
- IOCs: Source IP 45.91.64.7, sustained scanning pattern indicating potential botnet or automated tooling
Recommendations
- Implement rate limiting and connection throttling on SMTP, RDP, and SSH services to mitigate automated scanning
- Review and restrict unnecessary service exposure, particularly database ports and remote access protocols
- Deploy enhanced logging and alerting for multi-protocol reconnaissance patterns from single source IPs
- Consider geo-blocking or additional authentication layers for critical services if business requirements permit
- Conduct immediate audit of SMTP server configurations and disable unnecessary EHLO responses that leak system information
INITIAL REPORT2026-03-23T20:45:58Z
Source: Analyst Manual Entry
Russian IP address 45.91.64.7 conducted sustained reconnaissance activities over 30 days targeting multiple services including SMTP and HTTP across 5 unique ports. The threat level is assessed as LOW with moderate confidence, representing typical scanning behavior that often precedes targeted attacks. Network defenders should implement enhanced monitoring for this IP and similar reconnaissance patterns.
Technical details
Source: 45.91.64.7 (Russian Federation, ASN unknown)
Activity Window: February 21, 2026 02:00 - March 23, 2026 09:00 (30-day campaign)
Attack Volume: 88 events across multiple protocols (HTTP, TCP, TLS, SMTP)
Primary Technique: Service discovery and enumeration (MITRE T1595.002 - Active Scanning: Vulnerability Scanning)
Kill Chain Phase: Reconnaissance
Key Behavior: SMTP service probing using EHLO commands ("EHLO agorum") targeting port 25/TCP
AbuseIPDB Rating: 100/100 (maximum malicious score)
IOCs: IP 45.91.64.7, SMTP probe pattern "EHLO agorum"
IOCs
IP:45.91.64.7
COUNTRY:RU
Recommendations
- Block IP address 45.91.64.7 at perimeter firewalls and email security gateways
- Implement enhanced logging and alerting for SMTP EHLO reconnaissance attempts from external sources
- Monitor for similar multi-protocol scanning patterns targeting ports 25, 8080, and other common services
- Review and harden SMTP server configurations to minimize information disclosure during reconnaissance
- Correlate this activity with other Russian-originating reconnaissance attempts for potential campaign attribution