Summary (Bottom Line Up Front)
An IP address from Luxembourg (64.89.160.43) has been observed conducting repeated SMTP AUTH probes and credential capture attempts over a period of 7 days. The activity is assessed as low to moderate threat level due to the lack of novel techniques or payloads, but network defenders should remain vigilant. ###
Activity Timeline
INITIAL REPORT2026-05-19T18:24:58Z
Source: Analyst Manual Entry
An IP address from Luxembourg (64.89.160.43) has been observed conducting repeated SMTP AUTH probes and credential capture attempts over a period of 7 days. The activity is assessed as low to moderate threat level due to the lack of novel techniques or payloads, but network defenders should remain vigilant.
Technical details
The attacker used common protocols (SMTP, TCP) and targeted port 25/TCP for EHLO reconnaissance and generic SMTP probes. Key attack patterns include credential capture via authentication mechanisms and AI-detected SMTP probe activities. The IP address has a perfect abuse score of 100/100 on AbuseIPDB, indicating known malicious activity. No specific CVEs or zero-day exploits were identified.
IOCs
IP:64.89.160.43
COUNTRY:LU
Recommendations
- Review logs for any unusual SMTP traffic from the observed IP.
- Implement strict access controls and monitor authentication attempts closely.
- Update firewall rules to block suspicious SMTP probe activities if necessary.
- Educate users on recognizing phishing emails that may exploit similar tactics.
- Maintain regular backups and ensure incident response plans are up-to-date.