Summary (Bottom Line Up Front)
External IP address 77.83.39.74 conducted sustained SMTP reconnaissance and credential capture attempts against email infrastructure over a 22-day period from March 4-26, 2026. This activity represents initial reconnaissance phases of a potential email-based attack campaign with 8,403 recorded events targeting SMTP services. Organizations should implement enhanced monitoring of email infrastructure and review authentication controls.
Activity Timeline
UPDATE 22026-03-26T15:08:19Z
Source: Analyst Manual Entry
External IP address 77.83.39.74 conducted sustained SMTP reconnaissance and credential capture attempts against email infrastructure over a 22-day period from March 4-26, 2026. This activity represents initial reconnaissance phases of a potential email-based attack campaign with 8,403 recorded events targeting SMTP services. Organizations should implement enhanced monitoring of email infrastructure and review authentication controls.
New findings
Attack Vector: SMTP service enumeration and credential harvesting targeting port 25/TCP
Volume: 8,403 events over 22-day period (March 4 06:00 - March 26 16:00 UTC)
Primary Techniques: SMTP service probing via EHLO commands and authentication bypass attempts
MITRE ATT&CK Mapping: T1046 (Network Service Scanning)
Kill Chain Phase: Reconnaissance
Key Patterns: 217 SMTP probe attempts and 206 credential capture events
Sample Activity: Basic SMTP enumeration using "EHLO User" commands
IOC: 77.83.39.74 (no reverse DNS resolution)
Recommendations
- Implement rate limiting and connection throttling on SMTP services to prevent reconnaissance scanning
- Enable comprehensive logging for SMTP authentication attempts and failed login events
- Deploy network monitoring to detect abnormal SMTP enumeration patterns and repeated connection attempts
- Review and strengthen email server authentication mechanisms, including multi-factor authentication where applicable
- Consider implementing IP-based blocking or geo-filtering if the source location does not align with legitimate business requirements
UPDATE 12026-03-25T10:21:18Z
Source: Analyst Manual Entry
External IP address 77.83.39.74 conducted sustained SMTP reconnaissance against port 25 over a 21-day period from March 4-25, 2026, generating over 4,000 connection attempts. This activity represents medium-risk reconnaissance behavior consistent with email infrastructure enumeration that could precede targeted phishing or spam campaigns. Organizations should review SMTP exposure and implement enhanced monitoring for follow-up malicious activity.
New findings
Attack Vector: TCP-based SMTP probing using EHLO commands targeting port 25
Volume: 4,070 events over 21-day period (March 4 06:00 - March 25 10:00, 2026)
MITRE Technique: T1046 (Network Service Scanning)
Kill Chain Phase: Reconnaissance
Primary Pattern: SMTP_PROBE attacks with 217 documented EHLO enumeration attempts
Sample Payload: "EHLO User" commands indicating basic service fingerprinting
Source Attribution: Unknown threat actor, no VPN usage detected
Threat Assessment: Medium confidence (75%) for reconnaissance activity with 5% probability of zero-day exploitation
Recommendations
- Monitor SMTP services for unusual connection patterns and implement rate limiting on port 25 to prevent reconnaissance scanning
- Review mail server configurations to ensure unnecessary information disclosure is minimized in EHLO/HELO responses
- Deploy enhanced logging for SMTP connections and establish baseline traffic patterns to detect anomalous enumeration attempts
- Consider implementing fail2ban or similar tools to automatically block IPs exhibiting reconnaissance behavior against mail services
- Validate that SMTP services are only exposed where operationally necessary and implement network segmentation for mail infrastructure
INITIAL REPORT2026-03-14T17:51:14Z
Source: batch_hunting
Threat actor operating from IP 77.83.39.74 (AS215693 PalmaHost, Netherlands) conducted sustained SMTP reconnaissance against multiple targets from March 4-12, 2026, generating over 4,000 malicious events. Assessment indicates MEDIUM threat level based on systematic probing behavior and maximum AbuseIPDB reputation score. Immediate blocking and enhanced SMTP monitoring recommended.
Technical details
- Source Infrastructure: 77.83.39.74 (AS215693 PalmaHost, Netherlands), Windows Server 2012 R2 build 6.3.9600
- Campaign Timeline: March 4, 2026 06:00 - March 12, 2026 10:00 (8-day duration)
- Attack Volume: 4,067 total events, 217 SMTP EHLO probe attempts
- Primary Technique: SMTP service enumeration via EHLO command reconnaissance
- MITRE ATT&CK Mapping: T1046 (Network Service Scanning), T1590.001 (Gather Victim Network Information: Domain Properties)
- Infrastructure Profile: Extensive service exposure across 14 open ports including mail services (25, 587, 993, 995), web services (80, 443), and remote management (5986, 47001)
- IOCs: Single-port targeting pattern suggests automated tooling focused on mail server discovery
IOCs
IP:77.83.39.74
ASN:215693
COUNTRY:NL
Recommendations
- Block IP 77.83.39.74 and monitor AS215693 (PalmaHost) for additional malicious activity
- Implement rate limiting on SMTP EHLO commands to prevent reconnaissance abuse
- Review and harden SMTP server configurations, disable unnecessary EHLO response information disclosure
- Deploy enhanced logging for SMTP enumeration attempts and integrate with SIEM alerting
- Conduct threat hunting for similar reconnaissance patterns targeting mail infrastructure