Summary (Bottom Line Up Front)
Orange Polska-sourced IP address 46.134.26.213 conducted reconnaissance and credential harvesting attempts targeting FortiGate login interfaces on March 12, 2026. Threat level assessed as LOW with medium confidence due to limited attack volume and reconnaissance-phase activity. Network defenders should implement enhanced monitoring for FortiGate authentication attempts and verify access controls.
Activity Timeline
UPDATE 12026-03-23T07:08:14Z
Source: Analyst Manual Entry
Orange Polska-sourced IP address 46.134.26.213 conducted reconnaissance and credential harvesting attempts targeting FortiGate login interfaces on March 12, 2026. Threat level assessed as LOW with medium confidence due to limited attack volume and reconnaissance-phase activity. Network defenders should implement enhanced monitoring for FortiGate authentication attempts and verify access controls.
New findings
- Source: 46.134.26.213 (AS5617 Orange Polska Spolka Akcyjna, Poland)
- Activity Window: March 12, 2026, 15:00-16:00 UTC (70 events)
- Protocols: TCP, TLS 1.0, HTTPS with TLS handshake analysis
- Attack Vectors: Credential harvesting (CREDENTIAL) and FortiGate reconnaissance (FORTI_RECON)
- MITRE Mapping: T1046 (Network Service Scanning)
- Kill Chain Phase: Reconnaissance
- IOCs: 46.134.26.213 targeting 2 unique destination ports via HTTPS
Recommendations
- Monitor FortiGate authentication logs for unusual login patterns and implement account lockout policies
- Block or restrict access from 46.134.26.213 and consider geofencing if Poland-sourced traffic is unexpected
- Review FortiGate exposure to internet and implement IP allowlisting for administrative access where feasible
- Enable multi-factor authentication on all FortiGate administrative accounts if not already implemented
- Conduct audit of FortiGate firmware versions and apply latest security patches to prevent exploitation of known vulnerabilities
INITIAL REPORT2026-03-14T17:49:50Z
Source: batch_hunting
IP address 46.134.26.213 (Orange Polska) conducted targeted reconnaissance and credential attacks against network infrastructure on 2026-03-12 from 15:00-16:00 UTC. The activity focused on FortiGate appliances with credential harvesting attempts, representing a MEDIUM threat level. Organizations should immediately review FortiGate access logs and implement additional authentication controls.
Technical details
The attacker executed 70 events over a 15-minute window using encrypted protocols (TLS/HTTPS) to evade detection. Primary techniques included reconnaissance of FortiGate login interfaces and credential-based authentication attempts against 2 unique destination ports. Attack patterns align with MITRE ATT&CK T1078 (Valid Accounts) and T1590.001 (Reconnaissance - IP Addresses). The source IP shows no prior malicious reputation scoring and operates from legitimate Polish telecommunications infrastructure, suggesting either compromised infrastructure or insider threat activity.
IOCs: 46.134.26.213 (source IP), Orange Polska ASN AS5617
IOCs
IP:46.134.26.213
ASN:5617
COUNTRY:PL
Recommendations
- Review all FortiGate and network appliance authentication logs for the timeframe 2026-03-12 15:00-17:00 UTC
- Implement multi-factor authentication on all network management interfaces if not already deployed
- Monitor for additional reconnaissance activity from Orange Polska IP ranges (AS5617)
- Validate that FortiGate management interfaces are not exposed to public internet
- Consider implementing rate limiting and account lockout policies for administrative login attempts