Over 30,000 Malicious IPs Probe RDP Protocol in Massive Coordinated Attack, Researchers Find

A massive wave of scanning activity targeting Microsoft Remote Desktop (RDP) protocol, totaling more than 30,000 unique IP addresses, has been identified probing authentication portals in what looks like a coordinated campaign, according to GreyNoise.

Cybercriminals looking for exposed RDP services is nothing new. In fact, it’s a key attack vector used to gain access to networks, often serving as an entry point for ransomware, data theft, and espionage campaigns.

Security intelligence firm GreyNoise spotted the surge in attacks, and discovered that the same client signature has been observed across Microsoft RD Web Access and Microsoft RDP Web Client services.

“On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. Nearly 2,000 IPs — the vast majority previously observed and tagged as malicious — simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals,” the company said in a blog post.

The activity grew even bigger on Aug. 24, when the researchers saw that over 30,000 IPs triggered both tags simultaneously.

The surge in RDP probing

Microsoft RDP endpoints are constantly being scanned, but the frequency is not that high, with only a handful of new IPs per day. But that number rose to 1,971 IPs on Aug. 21 alone.

Moreover, the sudden wave displayed a 100% overlap across RDP Web Access and RDP Web Client probes, with 1,851 IPs sharing the same client signature. This might suggest that a single botnet or scanning toolkit might be responsible.

Researchers note that 92% of those IPs were already classified as malicious. Most originated from Brazil (~73%), while the United States was the primary target.

The timing of the surge may not be accidental: August coincides with the US back-to-school season, and schools and universities ramp up RDP-backed systems to manage new accounts.

“The campaign’s US-only targeting aligns with that calendar — education and IT teams should harden RDP now and watch for follow-up activity from this same client signature,” the researchers warned.

What the attackers are mapping

The campaign seems designed to systematically find valid accounts on exposed RDP portals through a timing attack approach:

1. Endpoint Discovery — Identify IPs by exposing RD Web Access or RD Web Client.
2. Flaw Testing — Using authentication timing differences to discover valid usernames.

This preparatory stage enables attackers to build valid-user lists, which can later support:

• Credential stuffing with breached passwords.
• Password spraying and brute-force attacks.
• Future exploitation, if or when a new RDP-related CVE is found.

How to stay safe:

• Improve authentication workflows by disabling weak login flows and enforce multi-factor authentication.
• Block malicious IPs.
• Monitor for follow-up activity, especially if they come from the same client signature.
• Reduce dependency on direct RDP exposure and more to other, safer solutions, such as VPNs.