Summary (Bottom Line Up Front)
Internet-facing sensors observed targeted SMTP reconnaissance activity from IP 86.54.42.44 (Switzerland/AS42624) during a concentrated 1-second window on 2026-03-02 at 02:00 hours. The activity demonstrates medium-severity mail server enumeration behavior with systematic protocol probing across multiple SMTP command sequences. This represents focused reconnaissance activity consistent with automated tooling targeting mail infrastructure.
Activity Timeline
INITIAL REPORT2026-03-14T08:37:59Z
Source: Analyst Manual Entry
Internet-facing sensors observed targeted SMTP reconnaissance activity from IP 86.54.42.44 (Switzerland/AS42624) during a concentrated 1-second window on 2026-03-02 at 02:00 hours. The activity demonstrates medium-severity mail server enumeration behavior with systematic protocol probing across multiple SMTP command sequences. This represents focused reconnaissance activity consistent with automated tooling targeting mail infrastructure.
Technical details
The observed activity consisted of 22 events utilizing TCP and SMTP protocols, specifically targeting standard SMTP service ports. Traffic analysis revealed systematic SMTP command enumeration including EHLO handshake probing, MAIL FROM sender verification attempts, and RCPT TO recipient validation testing. The attack pattern maps to MITRE ATT&CK technique T1046 (Network Service Scanning) within the Discovery tactic, indicating active reconnaissance of mail server capabilities and accepted domains. Source infrastructure analysis shows the actor operating from Swiss address space via Global-Data System IT Corporation hosting, with exposed services on ports 3389 (RDP), 5357 (WSD), and 5985 (WinRM) suggesting Windows-based attack infrastructure. No specific CVE exploitation attempts were observed; activity remained within standard SMTP protocol boundaries but exhibited clear reconnaissance intent.
IOCs
IP:86.54.42.44
ASN:42624
COUNTRY:CH