Husain Parvez
Published on: August 31, 2025
Threat intelligence firm GreyNoise has reported one of the largest coordinated scanning campaigns targeting Microsoft Remote Desktop services in recent years, with activity escalating from just under 2,000 IPs on August 21 to over 30,000 IPs on August 24.
GreyNoise noted that “nearly 2,000 IPs — the vast majority previously observed and tagged as malicious — simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals” during the first wave. Just three days later, the scale ballooned, with the company confirming that “on August 24, over 30,000 unique IPs simultaneously triggered both Microsoft RD Web Access and Microsoft RDP Web Client tags, largely from the same client signature behind the August 21 spike.”
Baseline probing activity for these RDP services normally involves only 3–5 IPs per day, making the sudden appearance of thousands of coordinated sources a clear anomaly. According to GreyNoise, timelines showed the same client signature hitting both tags simultaneously, and 1,851 of the 1,971 IPs in the initial surge shared identical client signatures, strongly suggesting a single botnet module or toolset.
The attack methodology focused on timing vulnerabilities in RDP authentication workflows. As GreyNoise explained, the aim was “test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions.” By leveraging small differences in server response times, attackers can identify valid accounts before launching brute force or credential-stuffing attempts.
Geographic distribution also pointed to a coordinated effort. Researchers observed approximately 73% of the probing IPs originating from Brazil, while the initial August 21 spike was concentrated exclusively on US infrastructure. The campaign’s timing coincides with the American back-to-school season, when universities and schools typically bring RDP-enabled systems online with predictable username formats.
Analysts warn this may be a prelude to broader exploitation. GreyNoise research indicates that 80% of scanning spikes precede new vulnerability disclosures within six weeks, and past incidents like BlueKeep (CVE-2019-0708) have shown how reconnaissance quickly evolves into mass exploitation.
