Summary (Bottom Line Up Front)
Malicious activity detected from 62.60.130.169 (LT, AS59441). 237156 events observed across SMTP, TCP. AI verdict: NOISE.
Activity Timeline
UPDATE 12026-05-22T13:55:18Z
Source: Analyst Manual Entry
Malicious activity detected from 62.60.130.169 (LT, AS59441). 237156 events observed across SMTP, TCP. AI verdict: NOISE.
New findings
Protocols: SMTP, TCP
Attack types: CREDENTIAL_CAPTURE, EXPLOIT, SMTP_PROBE,AI_DETECTED
Unique destination ports: 1
Active window: 2026-04-28 04:14:13.780623 to 2026-05-22 14:56:01.563568
Top patterns: auth, auth_login_creds, suricata_sid_2400007, claude_smtp_ehlo_reconnaissance, claude_smtp_generic_ehlo_probe
Recommendations
- Block 62.60.130.169 at perimeter firewall
- Monitor other traffic from AS59441
- Review correlated attacker profiles for campaign links
INITIAL REPORT2026-05-22T13:54:10Z
Source: Analyst Manual Entry
An IP address (62.60.130.169) originating from Shiraz, Iran has been observed conducting credential capture attempts and SMTP probes over a period of 25 days. The activity is assessed as noise but warrants attention due to the high volume of credential capture events. Network defenders should implement or enhance monitoring for similar activities.
Technical details
The attacker utilized port 3389 (RDP) and engaged in SMTP probing with common EHLO commands, alongside a single exploit attempt flagged by Suricata SID 2400007. The majority of the traffic was categorized as credential capture attempts targeting authentication mechanisms. No specific CVEs or zero-day exploits were identified. Key MITRE ATT&CK techniques include T1555 (Credential Access: Credentials from Password Stores) and T1093 (Discovery: External Remote Services). Indicators of Compromise (IOCs) include the IP address 62.60.130.169 and port 25/TCP.
IOCs
IP:62.60.130.169
ASN:59441
COUNTRY:LT
Recommendations
- Monitor network traffic for unusual authentication attempts, especially on SMTP and RDP ports.
- Implement or update detection rules to flag EHLO commands with non-standard user agents.
- Review and enhance password policies and multi-factor authentication (MFA) requirements.
- Conduct regular security audits focusing on external remote services and credential storage practices.
- Educate users about the risks of phishing attempts that may exploit captured credentials.