Summary (Bottom Line Up Front)
A Romanian-based threat actor (80.94.95.216) conducted sustained SMTP reconnaissance against multiple targets from March 1-7, 2026, generating 1,547 malicious events with a maximum AbuseIPDB reputation score. The activity represents a HIGH threat level indicative of pre-attack reconnaissance for potential email-based campaigns. Immediate blocking and enhanced SMTP monitoring are recommended.
Activity Timeline
UPDATE 12026-03-18T22:06:03Z
Source: Analyst Manual Entry
A Romanian-based threat actor (80.94.95.216) conducted sustained SMTP reconnaissance against multiple targets from March 1-7, 2026, generating 1,547 malicious events with a maximum AbuseIPDB reputation score. The activity represents a HIGH threat level indicative of pre-attack reconnaissance for potential email-based campaigns. Immediate blocking and enhanced SMTP monitoring are recommended.
New findings
The threat actor operated from unmanaged infrastructure (AS204428 UNMANAGED LTD) in Timișoara, Romania, demonstrating persistent reconnaissance behavior over a six-day period. Primary attack vector involved SMTP probing using EHLO commands (142 instances) targeting email infrastructure for service enumeration. The actor utilized multiple protocols including Redis, TCP, and SMTP, with SSH service (port 22) exposed on the attacking system suggesting potential lateral movement capabilities. Activity maps to MITRE T1046 (Network Service Scanning) and T1589 (Gather Victim Identity Information). Key IOC: 80.94.95.216 with 100% abuse confidence rating and no legitimate reverse DNS resolution.
Recommendations
- Block IP address 80.94.95.216 at perimeter firewalls and email security gateways immediately
- Implement enhanced logging and alerting for SMTP EHLO command anomalies and high-frequency email service probing
- Review email server configurations to minimize information disclosure during SMTP banner exchanges and service enumeration
- Monitor for additional reconnaissance activity from AS204428 (UNMANAGED LTD) infrastructure and consider ASN-level blocking
- Conduct threat hunting for similar SMTP enumeration patterns across email infrastructure to identify potential campaign scope
INITIAL REPORT2026-03-15T09:49:39Z
Source: Analyst Manual Entry
Threat actor operating from Romanian IP 80.94.95.216 conducted sustained SMTP reconnaissance against multiple targets between March 1-7, 2026, generating 1,547 malicious events with a focus on email infrastructure enumeration. Assessment: MEDIUM threat level due to reconnaissance nature and high abuse reputation (100/100 AbuseIPDB score). Immediate blocking and enhanced SMTP monitoring recommended.
Technical details
- Source: 80.94.95.216 (AS204428 UNMANAGED LTD, Timișoara, Romania)
- Campaign Duration: March 1, 2026 15:00 - March 7, 2026 14:00 UTC
- Attack Volume: 1,547 events across 6-day period
- Primary Technique: SMTP EHLO command probing (142 instances) targeting email server enumeration
- Protocols Observed: SMTP, Redis, TCP SYN scanning
- MITRE ATT&CK Mapping: T1018 (Remote System Discovery), T1046 (Network Service Scanning)
- Infrastructure: Linux-based system with SSH (port 22) exposed, no reverse DNS resolution
- IOCs: 80.94.95.216, SMTP enumeration patterns via EHLO commands
IOCs
IP:80.94.95.216
ASN:204428
COUNTRY:RO
Recommendations
- Block IP 80.94.95.216 at perimeter firewalls and email security gateways immediately
- Implement rate limiting on SMTP EHLO commands to prevent reconnaissance abuse
- Monitor for additional scanning activity from AS204428 (UNMANAGED LTD) netblocks
- Review SMTP server logs for successful enumeration attempts and potential follow-on activities
- Consider implementing SMTP banner hardening to reduce information disclosure during reconnaissance