Summary (Bottom Line Up Front)
Threat actor operating from Lithuanian IP address 77.90.185.65 conducted sustained SMTP reconnaissance against multiple targets over 5 days (March 13-18, 2026), generating 349 malicious events with a maximum AbuseIPDB reputation score. This represents a MEDIUM threat level focused on email infrastructure enumeration. Organizations should immediately review SMTP server logs and implement enhanced monitoring for similar reconnaissance activities.
Activity Timeline
UPDATE 12026-03-18T00:02:32Z
Source: Analyst Manual Entry
Threat actor operating from Lithuanian IP address 77.90.185.65 conducted sustained SMTP reconnaissance against multiple targets over 5 days (March 13-18, 2026), generating 349 malicious events with a maximum AbuseIPDB reputation score. This represents a MEDIUM threat level focused on email infrastructure enumeration. Organizations should immediately review SMTP server logs and implement enhanced monitoring for similar reconnaissance activities.
New findings
The attacker leveraged TCP-based protocols to conduct systematic SMTP probing operations, primarily utilizing EHLO commands to enumerate mail server capabilities and configurations. Attack volume peaked at 349 total events across a 5-day operational window (March 13 16:00 - March 18 00:00 UTC). The campaign demonstrates characteristics consistent with MITRE ATT&CK T1046 (Network Service Scanning) and T1590.001 (Gather Victim Network Information: Domain Properties). Key indicators include source IP 77.90.185.65 (AS215476 Inside Network LTD, Lithuania) targeting SMTP infrastructure exclusively on standard ports.
Recommendations
- Implement rate limiting on SMTP EHLO commands to prevent rapid enumeration attempts
- Deploy enhanced logging for SMTP reconnaissance activities, particularly focusing on repeated EHLO requests from single sources
- Block traffic from 77.90.185.65 and monitor for additional reconnaissance from AS215476 network ranges
- Review mail server configurations to minimize information disclosure through SMTP banner responses
- Establish baseline monitoring for abnormal SMTP connection patterns and implement alerting for sustained probing activities
INITIAL REPORT2026-03-14T17:42:52Z
Source: batch_hunting
A Lithuanian-based IP address (77.90.185.65) conducted sustained SMTP reconnaissance against network infrastructure over a 2-hour period on March 13, 2026. The activity demonstrates focused enumeration behavior with 85 total events targeting SMTP services, assessed as MEDIUM threat level. Network defenders should implement enhanced SMTP monitoring and consider blocking the source IP.
Technical details
The threat actor operated from AS215476 (Inside Network LTD) in Vilnius, Lithuania, with a maximum AbuseIPDB reputation score of 100/100 indicating confirmed malicious activity. Attack patterns consisted exclusively of SMTP_PROBE activities utilizing smtp_ehlo commands across TCP protocols, suggesting systematic service enumeration. The concentrated 2-hour attack window (16:00-18:00 UTC) with 85 events indicates automated tooling rather than manual reconnaissance. Primary IOC: 77.90.185.65 with SSH service exposed on port 22.
IOCs
IP:77.90.185.65
ASN:215476
COUNTRY:LT
Recommendations
- Block source IP 77.90.185.65 at perimeter firewalls and email security gateways
- Enhance SMTP service monitoring for unusual EHLO command patterns and connection volumes
- Review SMTP server configurations to ensure minimal information disclosure during reconnaissance attempts
- Implement rate limiting on SMTP connections to mitigate automated enumeration tools
- Monitor for additional reconnaissance activity from AS215476 (Inside Network LTD) address space