Cybersecurity researchers detected one of the largest coordinated scanning campaigns targeting Microsoft’s Remote Desktop Protocol (RDP) services this year. Threat intelligence firm GreyNoise reported more than 30,000 unique IP addresses simultaneously probing RDP Web Access and RDP Web Client authentication portals, a surge that marked a dramatic escalation from an earlier wave of 1,971 IPs observed just three days prior.
The sudden scale of activity raised alarms across the security community. Baseline scanning against Microsoft’s remote access portals typically originates from only a handful of IP addresses daily. The surge represented not just an increase in volume but also a high level of coordination, suggesting a deliberate reconnaissance campaign rather than opportunistic scanning.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
A Highly Coordinated Effort?
Investigators noted that every IP targeting the Microsoft RD Web Access service also probed the RDP Web Client portal, indicating synchronized execution. Of the 1,971 initial IPs, 1,851 shared identical client signatures, a finding that points toward the use of a single toolset or botnet module.
The attackers appeared focused on exploiting timing vulnerabilities in authentication workflows. By measuring slight variations in server response times, they could infer whether a submitted username was valid, even without supplying the correct password. This technique, while subtle, provides attackers with a valuable foothold: a verified list of accounts to target in subsequent password spraying or credential stuffing attacks.
GreyNoise data showed that 73 per cent of the attacking infrastructure originated in Brazil, yet the activity almost exclusively targeted systems in the United States. Researchers suggested the timing was calculated, coinciding with the American back-to-school period, when educational institutions bring large numbers of RDP-enabled systems online and create predictable new user accounts.
Strategic Implications and Broader Risks
The scope of the operation carries troubling implications. GreyNoise observed that 92 per cent of the scanning IPs were already flagged as malicious, with many engaged in multipurpose activity such as open proxy scanning and web crawling. Analysts cautioned that such broad reconnaissance has historically preceded the disclosure or weaponization of new vulnerabilities.
The 2019 BlueKeep vulnerability provided a stark precedent when mass RDP scanning quickly escalated into widespread exploitation. Security experts warn that similar developments could emerge from the current campaign, which may signal impending RDP-related vulnerabilities.
For now, the scale and precision of the scanning operation underscore the continued attractiveness of Microsoft’s remote access tools to attackers. As organizations rely heavily on these systems for connectivity, defenders are urged to harden configurations, monitor authentication patterns, and prepare for potential follow-on intrusions.