Summary (Bottom Line Up Front)
Threat actor at 64.89.163.147 conducted sustained SMTP reconnaissance operations over 14 hours targeting email infrastructure with 41 total events. Assessment indicates MEDIUM threat level based on systematic probing behavior and moderate abuse reputation (37/100). Immediate action recommended to block source IP and review SMTP server configurations.
Activity Timeline
INITIAL REPORT2026-03-14T17:47:22Z
Source: batch_hunting
Threat actor at 64.89.163.147 conducted sustained SMTP reconnaissance operations over 14 hours targeting email infrastructure with 41 total events. Assessment indicates MEDIUM threat level based on systematic probing behavior and moderate abuse reputation (37/100). Immediate action recommended to block source IP and review SMTP server configurations.
Technical details
- Source: 64.89.163.147 (AS401626 Netiface America, Inc., Germany)
- Activity Window: 2026-03-12 13:00 to 2026-03-13 03:00 (14-hour campaign)
- Attack Vector: SMTP protocol reconnaissance via HELO, MAIL FROM, and RCPT TO commands
- System Profile: Windows 10 build 17763 with RDP (port 3389) exposed
- Volume: 41 events across TCP and SMTP protocols
- MITRE ATT&CK: T1018 (Remote System Discovery), T1590.002 (Gather Victim Network Information)
- IOCs: IP 64.89.163.147, systematic SMTP enumeration pattern
IOCs
IP:64.89.163.147
ASN:401626
COUNTRY:DE
Recommendations
- Block IP address 64.89.163.147 at perimeter firewalls and email security gateways
- Review SMTP server logs for evidence of successful enumeration or data exfiltration attempts
- Implement rate limiting on SMTP HELO/EHLO commands to prevent reconnaissance abuse
- Monitor for additional reconnaissance activity from AS401626 network range
- Validate SMTP server hardening configurations and disable unnecessary information disclosure