378,000 Emails in 10 Hours — Anatomy of a Phishing Campaign Caught on Our Qatar Sensor

On the night of February 25, 2026, our honeypot sensor in Doha, Qatar captured a sudden burst of SMTP activity. Over a 10-hour window, a single IP address sent 3,664 phishing messages targeting over 378,000 email addresses — almost entirely Hotmail and Outlook accounts.

The source: AS214940 (Kprohost LLC), responsible for 99.5% of all SMTP traffic to our Qatar sensor in the last 24 hours. The payload: a multi-variant Powerball lottery scam impersonating a real lottery winner.

This post breaks down the full campaign — the infrastructure, the social engineering, and the technical tricks used to evade email filters.

The Overnight Surge

Our Qatar sensor typically sees moderate SMTP probe traffic. On February 25, that changed:

The primary source IP — **77.83.39.217** — was responsible for 3,662 of the 3,664 captured events across 23 distinct SMTP sessions. This IP belongs to AS214940 (Kprohost LLC), a hosting provider that accounted for 84.3K events and 99.5% of all SMTP traffic to our Qatar infrastructure.

Two Variants, One Scam

The campaign ran two distinct distribution strategies for the same phishing content — a classic Powerball lottery donation scam.

Variant 1: "Lerynne West" (3,032 messages)

The primary campaign impersonated Lerynne West, a real person who won $343.9 million in the Powerball lottery in 2018. The scammers weaponized this real event to add credibility.

MAIL FROM: "LERYNNE WEST"[email protected]

Subject: Powerball Multistate Lottery!

Recipients per message: 20 (personalized distribution)

Total recipients: 60,624

The email body claims the recipient was "randomly selected through the Global Information Management Exchange (GMX)" for a $735,000 donation. It requests full personal details: name, gender, age, marital status, phone number, and home address, and references an "M&T Bank account officer" to handle the transfer.

Key excerpt from the phishing email:

"As part of my desire to give back, I am thrilled to inform you that your email address was randomly selected through the Global Information Management Exchange (GMX) and I am making a donation of $735,000 USD to you as a token of appreciation for hard-working individuals like yourself."

Variant 2: "DR PAUL" (627 messages)

The second variant used the same phishing content but a completely different distribution strategy.

MAIL FROM: DR (with FROM header "DR PAUL"[email protected])

Subject: Powerball Multistate Lottery!

Recipients per message: ~507 (bulk optimization)

Total recipients: 317,631

This variant fired in an 8-minute burst between 12:39 and 12:47 UTC, roughly 78 messages per minute. Where the Lerynne West variant sent 20 recipients per message (mimicking legitimate mail), the DR PAUL variant crammed 500+ recipients into each message for raw throughput.

Same scam. Two strategies. This looks like A/B testing, the attacker was comparing whether personalized small-batch delivery or high-volume bulk delivery gets better inbox placement.

Secondary Campaigns

Two additional messages stood out in the data:

Nigerian advance-fee scam: A single message from "GRACE"<[email protected]> (spoofing a South African university domain) sent to 6 recipients. Classic victim-compensation angle with a fake attorney at [email protected] requesting fees for a "$380 fund permit ownership certificate."

Microsoft spoofing with leaked template: One message impersonating Microsoft, but the attacker forgot to populate the template variable. The email body contains a visible [[-Email-]] placeholder where the recipient's address should have been. A rushed campaign or broken tooling.

Technical Evasion Techniques

Quoted-Printable Encoding

The phishing emails use quoted-printable encoding with deliberate line breaks mid-word:

Congratulations=
media=
ity=

This fragments keywords that email filters rely on for signature matching. The encoded text renders perfectly in email clients, but filter rules matching "Congratulations" as a single string won't trigger.

Domain Spoofing

The attacker spoofed multiple legitimate domains across variants:

• abc.org: Main campaign sender
• engage.microsoft.com: Microsoft impersonation attempt
• ump.ac.za: University of Mpumalanga (South African academic institution)

None of these domains authorized the sending IP. Organizations enforcing DMARC with reject policy would block these outright, but many recipients' mail providers don't enforce strictly.

Fake Mail Client Headers

The messages carried fabricated X-Mailer headers:

• Indy 8.0.25
• Indy 9.00.10
• Microsoft Outlook Express

All obsolete mail clients. The Indy library versions date to the early 2000s. These headers are likely hardcoded in the spam tooling to mimic legitimate mail software.

Targeting Patterns

The recipient list is highly specific:

• 99%+ Hotmail and Outlook addresses: No Gmail, Yahoo, or ProtonMail
• Real-sounding names: snubble****@hotmail.com, soccer**@hotmail.com, Drpaul****@outlook.com
• English-speaking focus: All recipient addresses use English words or names

This targeting pattern suggests a purchased or leaked email list, not random generation. The Hotmail concentration indicates the list likely originates from an older data breach, Hotmail was the dominant free email provider in the 2000s and early 2010s, and many of those accounts are still active Outlook addresses.

What This Means

A single IP on a budget hosting provider sent over 3,600 SMTP sessions targeting 378,000+ email addresses in one night, from a network that exists specifically because it's cheap and loosely monitored.

For email security teams, the indicators are clear:

• IP: 77.83.39.217
• ASN: AS214940 (Kprohost LLC)
• Spoofed domains: abc.org, engage.microsoft.com, ump.ac.za
• Subject line: "Powerball Multistate Lottery!"
• Social engineering hook: Real lottery winner impersonation + fake bank transfer

All of this data, the source IP, its reputation history, associated protocols, and behavioral patterns — is available through our IP reputation API. The IP and its network are tracked across all 16 protocol honeypots, not just SMTP.

Explore the Data

You can look up any IP in our threat database at https://sikkerapi.com — no account required. For automated protection, integrate our IP blacklist into your mail server or firewall using our Nginx, iptables/ipset, or Fail2Ban guides.

For SIEM integration, our STIX/TAXII feed delivers structured threat intelligence including SMTP-sourced indicators. See the full list of monitored protocols on our threat landscape page, including SMTP activity.