Summary (Bottom Line Up Front)
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should remain vigilant. ###
Activity Timeline
INITIAL REPORT2026-05-30T06:45:28Z
Source: Analyst Manual Entry
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should remain vigilant.
Technical details
The attacker used the BACnet, Kafka, SMTP, TCP, and TCP/SYN protocols to conduct credential capture (CREDENTIAL_CAPTURE) and protocol abuse (PROTO_ABUSE). The primary attack vector involved SMTP probes using EHLO commands. A total of 58,046 events were recorded with a high volume of CREDENTIAL_CAPTURE attempts. No specific MITRE technique mapping is available.
IOCs
IP:81.30.98.44
ASN:209425
COUNTRY:LT
Recommendations
- Monitor and log all SMTP traffic on port 25/TCP.
- Implement strict access controls and authentication mechanisms for critical services.
- Review and update firewall rules to block suspicious IP addresses.
- Educate users about the importance of secure credential management.
- Deploy anomaly detection tools to identify unusual patterns in network activity.