Summary (Bottom Line Up Front)
Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture capabilities against email services. Immediate implementation of SMTP authentication monitoring and IP blocking recommended. ##
Activity Timeline
UPDATE 12026-06-09T20:04:00Z
Source: Analyst Manual Entry
Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture capabilities against email services. Immediate implementation of SMTP authentication monitoring and IP blocking recommended.
New findings
Source: 81.30.98.144 (Tehran, Iran / Atis Omran Sevin PSJ)
Campaign Duration: May 23, 2026 18:00 - June 9, 2026 22:00 UTC
Attack Volume: 174,079 events across multiple protocols (Elasticsearch, EtherNet/IP, Kafka, SIP, SMTP, TCP)
Primary TTPs: CREDENTIAL_CAPTURE operations (51,199 events), SMTP reconnaissance via EHLO commands (3,371 events)
Key Indicators: Repeated "EHLO localhost" commands, authentication login attempts, duplicate SMTP field abuse
AbuseIPDB Rating: 100/100 (maximum threat score)
Infrastructure: Single open port (SSH/22), no reverse DNS resolution
Recommendations
- Block 81.30.98.144 at perimeter firewalls and email security gateways immediately
- Implement enhanced monitoring for SMTP EHLO reconnaissance patterns and repeated authentication failures
- Deploy rate limiting on SMTP services to prevent high-volume credential stuffing attacks
- Review mail server logs for successful authentications from Iranian IP ranges during campaign timeframe
- Enable multi-factor authentication for all email accounts and disable legacy authentication protocols where possible
INITIAL REPORT2026-06-03T09:00:05Z
Source: Analyst Manual Entry
An IP address (81.30.98.144) has been observed conducting SMTP AUTH probes and credential capture attempts over a period of 11 days. Despite the high volume of activity, the AI analysis suggests this is likely noise rather than an advanced attack vector. Network defenders should monitor for similar patterns but take no immediate action unless additional indicators suggest malicious intent.
Technical details
The IP address has engaged in multiple protocols including SMTP and TCP, with a focus on port 25/TCP. The primary attack vectors identified include CREDENTIAL_CAPTURE via AUTH mechanisms and PROTO_ABUSE through duplicate fields in SMTP communications. Notably, the AI detected Claude SMTP EHLO reconnaissance as a medium-level threat pattern. No CVEs or zero-day exploits were associated with this activity.
IOCs
IP:81.30.98.144
COUNTRY:LT
Recommendations
- Monitor for unusual authentication attempts on SMTP servers.
- Implement strict rate limiting and anomaly detection on port 25/TCP.
- Review logs for duplicate fields in SMTP communications to identify potential abuse.
- Stay vigilant for any new patterns that emerge from ongoing monitoring.
- Educate staff about the importance of secure credential management.