Coordinated Probing Campaign Targets Microsoft Remote Desktop Services

Published Date: August 26, 2025
Category: ShadowOpsIntel
Share:

Between August 21 and 24, 2025, GreyNoise observed a massive spike in malicious scanning activity targeting Microsoft Remote Desktop Protocol (RDP) services. What began as a surge of nearly 2,000 malicious IPs in a single day escalated to over 30,000 unique IPs, all attempting to enumerate valid usernames on Microsoft RD Web Access and RDP Web Client portals. This coordinated scanning wave appears aimed at reconnaissance, setting the stage for credential-based attacks such as password spraying or brute force intrusions.

Severity Level: High

Threat Objective

The observed activity represents a coordinated reconnaissance campaign focused on enumerating valid usernames exposed via Microsoft Remote Desktop services. Attackers are likely attempting to exploit authentication timing discrepancies, a known tactic to validate usernames without submitting full credentials, thus preparing for future credential-based attacks (e.g., password spraying or brute force).

Scale And Temporal Surge

  • On August 21, GreyNoise detected a sharp deviation from normal scanning baselines—logging 1,971 unique IPs probing Microsoft RDP services.
  • GreyNoise observed that 1,851 of the 1,971 IPs shared an identical fingerprint (a “client signature”), implying a uniform scanning toolkit or automation framework was deployed across a botnet or coordinated infrastructure.
  • By August 24, this escalated into a massive surge exceeding 30,000 unique IPs.
  • This represents a 6,000%+ increase over normal daily RDP-related scan volumes, which typically see just 3–5 IPs/day based on GreyNoise’s telemetry.

Source And Target Landscape

  • Source Distribution: Approximately 73% of the scanning IPs originated from Brazil.
  • Target Region: Exclusively focused on the United States, likely due to the academic calendar ramp-up (e.g., universities and K-12 schools enabling remote access labs).

Observed Behavior Pattern

The attack follows a two-phase reconnaissance logic:

  • Discovery Phase: Identify public-facing endpoints exposing either Microsoft RD Web Access or Microsoft RDP Web Client
  • Enumeration Phase: Conduct timing-based probes against login workflows to infer whether a submitted username exists on the system (based on subtle response time differences or error message variations).

This allows the attacker to build a confirmed list of valid usernames for future authentication-based exploitation.

Campaign Characteristics

  • Tool Behavior Overlap: Many of the same IPs used in this RDP campaign were also seen scanning for open proxies and behaving as web crawlers, suggesting a multi-purpose scanning infrastructure.
  • Related Activity: On August 22, GreyNoise observed a spike in open proxy scanning, with partial signature overlap, hinting that the RDP reconnaissance may be part of a broader infrastructure mapping or access campaign.

Recommendations

  1. Ensure RDP services (TCP 3389) are not directly accessible from the public internet. Use VPN or Zero Trust Network Access (ZTNA) instead.
  2. Block or monitor inbound RDP traffic from high-risk countries (e.g., Brazil, based on report).
  3. Apply allowlists to limit RDP access to trusted IP ranges (e.g., staff, IT teams only).
  4. Enforce MFA for all remote access, especially RDP. Do not allow password-only logins.
  5. Monitor for Spikes in Failed RDP Logins.
  6. Use behavioral analytics or SIEM correlation rules to detect multiple authentication attempts with consistent intervals from the same IP, indicating possible timing-based enumeration.
  7. Flag activity where a single IP accesses both Microsoft RD Web Access and Microsoft RDP Web Client portals within a short time window, as this behavior was consistent across all malicious IPs in the campaign.
  8. Establish a baseline of typical RDP access volumes and alert on deviations—particularly when the number of distinct source IPs spikes drastically.
  9. Detect when a single IP tries to authenticate against many different usernames within a short period, especially if many follow a pattern (e.g., firstname.lastname).

Source:

  • https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-desktop
  • https://viz.greynoise.io/tags/microsoft-rd-web-access-anonymous-authentication-timing-attack-scanner?days=10
  • https://viz.greynoise.io/tags/microsoft-rdp-web-client-login-enumeration-check?days=10

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.