Summary (Bottom Line Up Front)
IP address 64.89.160.82 conducted sustained SMTP-based reconnaissance and credential capture attempts against mail infrastructure from March 16-28, 2026, generating over 5,200 security events. Despite the high volume of activity, this represents common opportunistic scanning behavior with low sophistication. Network defenders should implement standard SMTP hardening measures and monitor for similar credential harvesting attempts.
Activity Timeline
UPDATE 12026-03-28T17:23:11Z
Source: Analyst Manual Entry
IP address 64.89.160.82 conducted sustained SMTP-based reconnaissance and credential capture attempts against mail infrastructure from March 16-28, 2026, generating over 5,200 security events. Despite the high volume of activity, this represents common opportunistic scanning behavior with low sophistication. Network defenders should implement standard SMTP hardening measures and monitor for similar credential harvesting attempts.
New findings
- Attack Vector: SMTP protocol exploitation targeting port 25/TCP exclusively
- Volume: 5,239 events over 12-day period (March 16 13:00 - March 28 18:00, 2026)
- Primary Techniques: Credential capture via SMTP AUTH LOGIN commands (209 instances) and SMTP enumeration via EHLO probes (105 instances)
- MITRE Mapping: T1110 (Brute Force), T1589 (Gather Victim Identity Information)
- Payload Sample: Basic EHLO reconnaissance with generic "EHLO User" commands
- Threat Assessment: Low-sophistication opportunistic scanning (NOISE classification, 95% confidence)
- IOC: 64.89.160.82 (no reverse DNS resolution)
Recommendations
- Implement SMTP authentication rate limiting and account lockout policies to prevent credential brute-forcing
- Deploy network-level monitoring for unusual SMTP AUTH LOGIN attempt patterns and EHLO enumeration
- Configure mail servers to log and alert on repeated authentication failures from single source IPs
- Consider implementing SMTP banner hardening to reduce information disclosure during EHLO exchanges
- Block or rate-limit traffic from 64.89.160.82 at network perimeter if no legitimate business justification exists
INITIAL REPORT2026-03-22T08:09:18Z
Source: Analyst Manual Entry
IP address 64.89.160.82 (Ghosty Networks LLC, Luxembourg) conducted sustained SMTP reconnaissance against our infrastructure from March 16-22, 2026, generating 129 events targeting port 25. Despite the high AbuseIPDB score (100/100), this activity represents low-severity automated service discovery with no observed exploitation attempts. Network defenders should implement monitoring for this IP and prepare defensive measures against potential escalation.
Technical details
The threat actor conducted reconnaissance operations using TCP and SMTP protocols, specifically employing SMTP EHLO commands to probe mail services (MITRE T1046 - Network Service Scanning). Activity spanned approximately 6 days with 19 distinct SMTP probe attempts, indicating systematic service enumeration rather than opportunistic scanning. The source infrastructure presents multiple exposed services (ports 135, 445, 3389, 5357, 5986) suggesting a compromised Windows system or deliberately configured attack platform. No CVEs were exploited and no zero-day indicators were observed during the reconnaissance phase.
IOCs
IP:64.89.160.82
ASN:205759
COUNTRY:LU
Recommendations
- Block IP 64.89.160.82 at perimeter firewalls and monitor for additional IPs from AS205759 (Ghosty Networks LLC)
- Implement enhanced logging and alerting for SMTP service interactions, particularly EHLO command sequences
- Review and harden SMTP service configurations to minimize information disclosure during reconnaissance attempts
- Deploy network segmentation controls to limit lateral movement potential if initial compromise occurs
- Establish threat hunting queries for T1046 Network Service Scanning behaviors targeting critical infrastructure services