A sudden and large-scale surge of scanning activity has targeted Microsoft Remote Desktop Web Access and RDP Web Client authentication portals, internet intelligence firm GreyNoise reports. The company recorded nearly 1,971 distinct IP addresses probing RDP authentication endpoints in concert — a dramatic jump compared with the three to five IP addresses per day GreyNoise typically observes for this type of activity. GreyNoise characterizes the event as a coordinated reconnaissance campaign that may be laying the groundwork for credential-based attacks.
Scale and Anatomy of the Scanning Wave
GreyNoise’s telemetry shows almost 2,000 IP addresses probing RDP authentication pages around the same time. Of those, 1,851 shared the same client signature; roughly 92 percent of that subset were already flagged in GreyNoise’s systems as malicious. The sheer volume and the shared signature profile point toward a single botnet or a common toolset being used to run the scans at scale.
The scans focused on Microsoft’s web-based RDP authentication surfaces rather than raw RDP ports. That emphasis suggests the actors are checking the web auth flow where timing or response differences may reveal whether a username exists, information that can later be used in credential-focused attacks such as brute force or password-spray campaigns.
Unique IP addresses performng Microsoft RDP web client login enumeration
Source: GreyNoise
How Timing Flaws Enable Username Enumeration
GreyNoise warns the activity appears aimed at identifying timing flaws in authentication responses. A timing flaw exists when a system responds slightly faster or slower to valid inputs compared with invalid ones. In the RDP web auth context, a minor difference in response time when a valid username is supplied versus an invalid one can be enough for automated tools to infer which usernames are real.
Once attackers can reliably enumerate valid usernames, they can scale follow-on attacks more efficiently. Valid accounts become prime targets for credential stuffing, password-spray, or brute-force techniques. The reconnaissance phase therefore increases the odds that later intrusion attempts will succeed.
Geographic and Signature Analysis Suggest Single Botnet
GreyNoise’s analysis of the IP origins shows a concentration in Brazil, while targeted hosts were predominantly in the United States. The geographic pattern — many scanning IPs from a similar region and a dominant shared client signature — strengthens the hypothesis of a single botnet or coordinated toolset operating the wave. That cluster-level behavior also explains why GreyNoise flagged the majority of those IPs as malicious.
The firm’s telemetry contrasts the current activity with historical baselines: seeing thousands of coordinated probes in a short period represents an unusually large and synchronized reconnaissance campaign.
Why the Timing May Be Significant
The timing of the activity coincides with the back-to-school window in the United States. GreyNoise analyst Noah Stone noted the date alignment and suggested it could be strategic: “The timing may not be accidental. August 21 sits squarely in the US back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts. These environments often use predictable username formats (student IDs, firstname.lastname), making enumeration more effective. Combined with budget constraints and a priority on accessibility during enrollment, exposure could spike.”
GreyNoise also cautions that spikes in malicious scanning have in the past preceded disclosure of new vulnerabilities. A surge like this can therefore either be opportunistic reconnaissance timed to an expected increase in exposed systems, or it may signal a new exploit or discovery that adversaries are preparing to weaponize.
Observed Risks and Operational Impact
According to GreyNoise, the primary risk is that successful username enumeration will enable high-probability credential attacks. Academic and lab environments with predictable account naming conventions can be especially vulnerable. Because RDP web portals often sit at the edge of campus networks and allow remote access to labs or VDI sessions, attackers who combine valid usernames with weak or reused passwords can gain easy footholds.
GreyNoise’s dataset shows the activity was anomalous in scope and method. The shared client signature and malicious classification of most scanning IPs are indicators defenders can use to correlate and investigate similar probes seen in their logs.
What Administrators are Being Told
GreyNoise’s coverage calls attention to the surge and the likely intent behind it. As part of public reporting, the note to Windows administrators is consistent with standard defensive messaging: accounts exposed to internet-facing RDP portals should be secured with multi-factor authentication where possible, and placing remote access behind VPNs or gateways is advised when feasible. These are the safeguards highlighted in the reporting as immediate steps to reduce the impact of the kind of credential-based attacks the reconnaissance seeks to enable.
GreyNoise emphasized that the event is a sizable departure from daily scanning norms and should be treated as a coordinated reconnaissance campaign. The firm’s findings also underline a broader operational pattern: attackers increasingly probe for subtle information leaks such as timing differences that can be turned into accurate, high-yield reconnaissance. Whether this wave is opportunistic scanning timed to the academic calendar or the precursor to an exploit disclosure, the activity warrants continued monitoring by network defenders and security teams.
