Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture cap…
Malicious activity detected from 93.123.109.127 (NL, AS48090). 629 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Düsseldorf, Germany (178.16.54.22) has been observed engaging in credential capture attempts and SMTP probing over a three-day period. The activity is assessed as noise but warrants attention due to the high volume of login attempts. Network defenders should implement or review th…
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should re…
Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measur…
Malicious activity detected from 62.60.130.169 (LT, AS59441). 237156 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Luxembourg (64.89.160.43) has been observed conducting repeated SMTP AUTH probes and credential capture attempts over a period of 7 days. The activity is assessed as low to moderate threat level due to the lack of novel techniques or payloads, but network defenders should remain v…
IP address 178.16.54.237 (Netherlands/dus.net GmbH) conducted sustained SMTP reconnaissance and credential capture attempts against organizational infrastructure from April 29 00:00 to May 4 18:00. The source IP maintains a 100/100 AbuseIPDB reputation score and is listed on Spamhaus DROP, indicatin…
IP address 64.89.160.72 (Ghosty Networks LLC, Luxembourg) conducted sustained SMTP reconnaissance against mail servers from April 21-29, 2026, generating 4,928 events primarily targeting port 25. The activity consists of standard EHLO probes with credential capture attempts and poses low threat risk…
Threat actor operating from 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against mail infrastructure over 28 days, generating 7,725 events targeting port 25. Activity assessed as LOW threat level reconnaissance likely aimed at identifying vulnerable mail servers for fu…
External threat actor 66.132.172.102 conducted targeted reconnaissance against industrial control systems using Modbus protocol attacks between March 20-26, 2026, with 79 recorded events. This HIGH confidence threat demonstrates sophisticated capabilities targeting critical infrastructure with poten…
Russian-origin IP address 89.109.8.38 conducted SMBv1 protocol negotiation attempts against non-standard port 9001 on February 26, 2026 at 17:00 hours. This reconnaissance activity presents medium risk due to SMBv1's inherent vulnerabilities and potential for lateral movement exploitation. Network d…
Russian-origin IP address 109.95.121.70 conducted sustained SMB reconnaissance targeting organizational networks over a 23-day period from February 25 to March 20, 2026, generating 143 security events. The activity primarily leveraged vulnerable SMBv1 protocol for network enumeration and represents …
Russian-origin IP address 95.25.169.123 conducted sustained SMBv1 protocol reconnaissance against non-standard port 9001 over a 15-day period from February 15-March 2, 2026. This activity represents HIGH-risk reconnaissance likely preparing for lateral movement exploitation of legacy SMB services. O…
IP address 158.94.209.116 (Middlesex University/NL) conducted sustained SMTP enumeration attacks over 18 hours targeting email infrastructure with 59 recorded events. Assessed threat level: MEDIUM due to reconnaissance nature and academic network origin suggesting potential research activity or com…