Hackers Scanning Microsoft Remote Desktop Web Access From 1000+ IPs

A massive coordinated campaign targeting Microsoft Remote Desktop Protocol (RDP) services, with nearly 2,000 malicious IP addresses conducting simultaneous reconnaissance attacks against authentication portals.

The unprecedented surge represents a 400-fold increase from normal baseline activity and signals potential preparations for large-scale credential-based attacks on educational institutions.

On August 21, 2025, GreyNoise observed an extraordinary spike in scanning activity against Microsoft RD Web Access and Microsoft RDP Web Client authentication systems.

The attack involved 1,971 IP addresses—dramatically exceeding the typical baseline of 3-5 IPs per day.

Analysis reveals that 1,851 of these IPs shared an identical client signature, indicating coordination through a single toolset or botnet module.

The malicious nature of this campaign is underscored by GreyNoise classification data, which shows that approximately 92% of the participating IP addresses (1,698 out of 1,851) were already flagged as malicious in their threat intelligence database.

The attacking infrastructure demonstrated sophisticated multi-pronged capabilities, with the same IP addresses simultaneously flagged as Open Proxy Scanners and Web Crawlers, suggesting the use of a comprehensive attack toolkit.

Geographic analysis reveals a concentrated threat landscape, with roughly 73% of source IPs originating from Brazil while exclusively targeting systems within the United States.

This targeted approach, combined with the uniform client signatures observed across the campaign, indicates a well-orchestrated operation rather than opportunistic scanning.

Microsoft Remote Desktop

The timing of this campaign coincides strategically with the US back-to-school period, when universities and K-12 institutions typically bring RDP-enabled remote access systems online to support thousands of new student accounts.

Educational environments present attractive targets due to their predictable username formats, such as student IDs or firstname.lastname conventions, which significantly enhance the effectiveness of enumeration attacks.

Security experts warn that educational institutions often operate under budget constraints while prioritizing accessibility during enrollment periods, potentially creating security gaps.

The attackers appear to be exploiting this vulnerability window, conducting reconnaissance that could enable future credential stuffing, password spraying, or brute force attacks against confirmed valid usernames.

Two-Stage Attack Methodology

The scanning campaign employed a sophisticated two-stage methodology designed to maximize attack effectiveness.

GreyNoise research indicated that 80% of technology-specific attack spikes precede the discovery of new vulnerabilities within six weeks, suggesting potential zero-day preparations.

In the initial phase, attackers systematically identified IP addresses exposing Microsoft RD Web Access or RDP Web Client services.

The second stage involved testing authentication workflows for timing vulnerabilities and other login-flow differences that could reveal valid usernames without successful authentication.

This enumeration technique allows attackers to build comprehensive lists of valid accounts on exposed systems, dramatically increasing the success rate of subsequent credential-based attacks.

The intelligence gathered can be leveraged for credential stuffing operations using breached password databases, targeted password spraying campaigns, or future exploitation should new RDP-related vulnerabilities emerge.

Historical precedent demonstrates the serious implications of RDP-focused attacks, including the Russia-nexus UNC5839 espionage operations, the SamSam ransomware campaigns that devastated the City of Atlanta, and the widespread BlueKeep exploitation events of 2019.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.