GreyNoise Detects Massive Surge in RDP Web Access Probing: Prelude to Password Attacks?
GreyNoise has observed a sharp and highly atypical surge in reconnaissance activity targeting Microsoft Remote Desktop Web Access and the RDP Web Client: 1,971 unique IP addresses were active simultaneously, whereas the company typically sees only 3–5 such sources per day.
Analysts note that the synchrony and scale point to a coordinated campaign in which attackers probe authentication portals and lay the groundwork for subsequent password attacks. In 1,851 cases the same client fingerprint was detected, and roughly 92% of those nodes are already flagged as malicious. Most traffic originated in Brazil and was directed at U.S. addresses—consistent with the hypothesis of a single botnet or a common toolset.
The objective of the scanning wave is to enable timing attacks, where microscopic differences in response times inadvertently leak sensitive information. If an RDP web portal responds slightly faster to a login attempt with an existing username than to a nonexistent one, adversaries can confirm the validity of accounts without knowing the password—a classic side channel via response latency.
Researchers date the spike to August 21—the start of the academic year in the United States. During this period, schools and universities often bring RDP services online for remote labs, create large numbers of new accounts, and temporarily prioritize availability over strict controls. Such environments frequently rely on predictable naming schemes—from student IDs to “firstname.lastname” patterns—further improving the efficiency of username enumeration. Budget constraints in education also play a role: when rapid onboarding for thousands takes precedence, guardrails and protective mechanisms are often deployed with delay.
GreyNoise emphasizes that similar peaks have, in past experience, often preceded the public disclosure of new vulnerabilities. Even if this is merely preparation for later password attacks, the risk remains high: confirmed usernames shrink the search space and boost the success of both targeted brute force and wide-scale password spraying.
Administrators of Windows infrastructures are urged to eliminate easy compromise paths immediately. At a minimum: enforce mandatory multi-factor authentication for all accounts with access to RDP web portals and place those portals behind a VPN or equivalent remote-access boundary. Additionally, restrict external access to RD Web Access by source allowlists, enable aggressive login-attempt throttling, and closely evaluate any response-time differentials that could become exploitable side channels.
