Cybercriminals Targeting Microsoft Remote Desktop Protocol Services with Scans from Over 30,000 IP Addresses

A massive coordinated scanning campaign has emerged, targeting Microsoft Remote Desktop Protocol (RDP) services. Threat actors have deployed over 30,000 unique IP addresses to probe for vulnerabilities in Microsoft RD Web Access and RDP Web Client authentication portals. This campaign represents one of the largest coordinated RDP reconnaissance operations observed in recent years, signalling potential preparation for large-scale credential-based attacks. Key takeaways include the unprecedented scale of the attack, with over 30,000 IPs involved, the targeting of US schools during the back-to-school season for username enumeration attacks, and an 80% chance of major exploits.

The scanning operation commenced with an initial wave on August 21, 2025, involving nearly 2,000 IP addresses targeting both Microsoft RD Web Access and Microsoft RDP Web Client services. However, the campaign escalated dramatically on August 24, when security researchers detected over 30,000 unique IP addresses conducting coordinated probes using identical client signatures. This indicates a sophisticated botnet infrastructure or coordinated toolset deployment. GreyNoise reports that the attack methodology focuses on timing-based authentication enumeration, exploiting subtle differences in server response times to identify valid usernames without triggering traditional brute-force detection mechanisms. Network telemetry analysis reveals that 92% of the scanning infrastructure consists of previously classified malicious IP addresses, with source traffic heavily concentrated in Brazil while exclusively targeting United States-based RDP endpoints. 

Categories: RDP Scanning Campaign, Credential-Based Attacks, Educational Sector Targeting 

Tags: RDP, Scanning, Vulnerabilities, Credential, Enumeration, Botnet, Authentication, Exploits, Educational, APT