Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture cap…
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should re…
Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measur…
An IP address from Luxembourg (64.89.160.43) has been observed conducting repeated SMTP AUTH probes and credential capture attempts over a period of 7 days. The activity is assessed as low to moderate threat level due to the lack of novel techniques or payloads, but network defenders should remain v…
IP address 178.16.54.237 (Netherlands/dus.net GmbH) conducted sustained SMTP reconnaissance and credential capture attempts against organizational infrastructure from April 29 00:00 to May 4 18:00. The source IP maintains a 100/100 AbuseIPDB reputation score and is listed on Spamhaus DROP, indicatin…
IP address 64.89.160.72 (Ghosty Networks LLC, Luxembourg) conducted sustained SMTP reconnaissance against mail servers from April 21-29, 2026, generating 4,928 events primarily targeting port 25. The activity consists of standard EHLO probes with credential capture attempts and poses low threat risk…
IP address 45.91.64.7 conducted sustained multi-protocol reconnaissance against network infrastructure from February 21 to April 11, 2026, generating 89 security events across 14 unique ports. The campaign primarily focused on SMTP probing with secondary targeting of RDP and SSH services, assessed a…
IP address 91.92.240.214 conducted 185 automated attacks over 15 days targeting SMTP services with relay attempts and IoT command injection, assessed as low-sophistication botnet activity with MEDIUM threat level. Organizations should implement SMTP relay restrictions and monitor for similar reconna…
Threat actor operating from 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against mail infrastructure over 28 days, generating 7,725 events targeting port 25. Activity assessed as LOW threat level reconnaissance likely aimed at identifying vulnerable mail servers for fu…
Threat actor operating from Netherlands-based hosting infrastructure (45.144.212.98) conducted sustained reconnaissance and exploitation attempts targeting IoT devices and SMTP services over 7-day period ending April 6, 2026. Campaign generated 5,265+ malicious events with focus on MQTT command inje…
Automated SMTP relay attempts and vulnerability scanning observed from IP 178.16.52.2 between March 11-26, 2026, generating 115 security events targeting port 25/TCP. Assessment indicates low-sophistication automated activity with minimal threat impact. Standard email security hardening and monitori…
IP address 64.89.160.82 conducted sustained SMTP-based reconnaissance and credential capture attempts against mail infrastructure from March 16-28, 2026, generating over 5,200 security events. Despite the high volume of activity, this represents common opportunistic scanning behavior with low sophi…
External IP address 77.83.39.74 conducted sustained SMTP reconnaissance and credential capture attempts against email infrastructure over a 22-day period from March 4-26, 2026. This activity represents initial reconnaissance phases of a potential email-based attack campaign with 8,403 recorded event…
A medium-severity threat actor operating from Netherlands infrastructure (45.144.212.199) conducted sustained SMTP reconnaissance activities against mail servers between February 28-March 2, 2026. The attacker performed systematic mail server probing using suspicious sender addresses potentially lin…
External threat actor conducted sustained SMTP reconnaissance against organizational infrastructure from IP 45.144.212.237 (Netherlands/Kprohost ASN214940) between March 6-22, 2026, generating 13,097 probe attempts. Assessment indicates LOW severity automated scanning activity designed to enumerate…
Lithuanian-based IP 141.98.9.114 conducted low-volume SMTP reconnaissance against mail infrastructure on March 18, 2026, between 02:00-08:00 hours, attempting to enumerate mail server capabilities and recipients. This activity represents typical network reconnaissance behavior with LOW assessed thre…
Threat actor operating from IP 141.98.9.68 (Lithuania, AS209588) conducted SMTP user enumeration attacks against organizational email infrastructure over a 16-hour period from March 15-16, 2026. Assessment indicates LOW severity reconnaissance activity consistent with email harvesting for potential …
IP address 158.94.209.116 (Middlesex University/NL) conducted sustained SMTP enumeration attacks over 18 hours targeting email infrastructure with 59 recorded events. Assessed threat level: MEDIUM due to reconnaissance nature and academic network origin suggesting potential research activity or com…
A Romanian-based threat actor (80.94.95.216) conducted sustained SMTP reconnaissance against multiple targets from March 1-7, 2026, generating 1,547 malicious events with a maximum AbuseIPDB reputation score. The activity represents a HIGH threat level indicative of pre-attack reconnaissance for po…
Russian-origin IP address 195.98.71.118 conducted targeted SMTP reconnaissance against mail infrastructure on 2026-02-28 at approximately 11:00 UTC, executing 19 probe attempts within a one-minute window. This activity represents MEDIUM-confidence email harvesting reconnaissance consistent with spa…
Threat actor operating from Lithuanian IP address 77.90.185.65 conducted sustained SMTP reconnaissance against multiple targets over 5 days (March 13-18, 2026), generating 349 malicious events with a maximum AbuseIPDB reputation score. This represents a MEDIUM threat level focused on email infrastr…
IP address 66.132.153.127 conducted an 11-day reconnaissance campaign from March 1-12, 2026, targeting Fortinet appliances and SMTP services with 141 recorded events. The threat actor demonstrates medium-severity scanning behavior focused on network infrastructure enumeration. Organizations should …
Threat actor at 64.89.163.147 conducted sustained SMTP reconnaissance operations over 14 hours targeting email infrastructure with 41 total events. Assessment indicates MEDIUM threat level based on systematic probing behavior and moderate abuse reputation (37/100). Immediate action recommended to b…
A Windows Server 2012 R2 system at 91.92.240.10 (Neterra Ltd./DE) conducted sustained SMTP reconnaissance against our infrastructure between March 12-13, 2026. This represents medium-severity reconnaissance activity with potential for follow-on attacks targeting email services. Immediate blocking a…