Last week, threat intelligence firm GreyNoise observed a coordinated scanning campaign targeting Microsoft Remote Desktop Protocol (RDP) services that rapidly escalated from an initial wave of nearly 2,000 malicious IP addresses to a staggering 30,000 unique attackers within days. The scans, aimed at RD Web Access and RDP Web Client authentication portals, used timing-based techniques to enumerate valid usernames – a reconnaissance tactic that often precedes credential stuffing and password spraying attacks. While the immediate objective was information gathering rather than exploitation, the scale and focus on U.S. educational institutions during the back-to-school period signal a calculated effort to harvest credentials for future intrusions.

On August 21, 2025, GreyNoise detected approximately 1,971 distinct IP addresses probing Microsoft’s remote desktop authentication endpoints almost simultaneously. Of those, 1,851 shared an identical client signature, suggesting the use of a single toolset or botnet module. Nearly 92% of these IPs were already classified as malicious by the firm. Just three days later, on August 24, a second wave swelled to over 30,000 unique IPs triggering the same detection signatures, a dramatic increase that underscores the campaign’s organized and automated nature.

“This isn’t your garden-variety background scanning,” said a GreyNoise researcher in their analysis. “The uniformity of the client signature and the concentration on a specific authentication surface point to deliberate, pre-attack reconnaissance.” The targeting was overwhelmingly aimed at U.S.-based hosts, while a disproportionate number of the probing IPs were geolocated to Brazil. However, researchers caution that IP geolocation often reflects compromised infrastructure rather than the attackers’ true origin; botnets frequently route through devices in third-party countries.

The technique at play is timing-based username enumeration. By sending authentication requests with different usernames and carefully measuring the server’s response time, an attacker can infer whether a username is valid. Many authentication systems exhibit subtly different processing times depending on whether the account exists, even when they return identical error messages. This allows an attacker to build a list of confirmed usernames without triggering account lockouts or brute-force alarms. Once valid usernames are known, attackers can later shift to credential stuffing—using lists of previously breached passwords—or password spraying, trying a small set of common passwords across many accounts.

The campaign’s timing coincides with the U.S. back-to-school season, when universities and K-12 districts activate RDP-backed remote labs and administrative systems. Educational institutions often employ predictable username schemas like firstname.lastname or student ID numbers, which significantly increases the success rate of enumeration. “When you know that a school uses a standard naming convention, you can generate massive lists of likely usernames and then use timing attacks to confirm them with high precision,” explained a senior security analyst.

GreyNoise’s findings were corroborated by Petri IT Knowledgebase, which reported that the surge “coincided with the US back-to-school period” and highlighted the attackers’ focus on enabling future brute-force or credential stuffing attacks. Other outlets amplified the story, though some added speculative warnings about “80% chance of major exploits” or imminent ransomware follow-ups—claims that GreyNoise itself did not substantiate in its telemetry. Security experts advise treating such unverified forecasts with caution while acknowledging that reconnaissance campaigns of this magnitude are serious precursors to more damaging activity.

The technical community has long known that timing attacks can compromise authentication systems. What makes this campaign notable is its sheer scale and the apparent coordination behind it. The reuse of a single client signature across thousands of IPs suggests either a centralized botnet with a shared scanning module or a widely distributed tool controlled by a single actor. GreyNoise’s director of research noted, “When you see that kind of uniformity, it’s not just a random assortment of compromised machines. It’s an infrastructure that was built or rented for this purpose.”

The reconnaissance activity does not appear to have exploited any new Remote Desktop vulnerability. Rather, it leverages inherent design characteristics of web-based authentication flows that exhibit timing side-channels. That said, the broader RDP ecosystem has seen a series of critical patches in recent months, including fixes for path traversal vulnerabilities in the Remote Desktop client and resource-exhaustion flaws in Remote Desktop Services. Administrators who have not applied the latest Microsoft security updates are leaving themselves exposed to a compound threat: a known vulnerability combined with an active username reconnaissance campaign could lead to rapid intrusion.

For defenders, the immediate priority is to eliminate or drastically reduce RDP exposure to the public internet. GreyNoise and other incident response teams recommend the following tiered approach:

Within 24 hours:
- Block all direct access to TCP 3389 and any RD Web Access/RDP Web Client endpoints from the public internet. Use VPN or Zero Trust network access (ZTNA) to mediate connections.
- Enforce multi-factor authentication (MFA) for all remote desktop access.
- Apply the latest Microsoft security patches for Remote Desktop Services and related components.

First week:
- Enable Network Level Authentication (NLA) and configure RD Gateway with strong TLS settings.
- Restrict RDP access to allow-listed management IP ranges; rate-limit or block all other inbound attempts.
- Harden authentication workflows by ensuring uniform error messages and minimizing response time discrepancies where possible; if perfect uniformity cannot be achieved, compensate with MFA and behavioral detection.

Medium-term (1-4 weeks):
- Deploy honeypot or canary accounts that should never see login traffic to detect enumeration attempts.
- Integrate threat intelligence feeds like GreyNoise into perimeter defenses and SIEM systems to automatically block known malicious IPs and client signatures.
- Create SIEM rules that detect high-resolution login probes characterized by repeated attempts with slight timing variations rather than high error counts.
- Audit all exposed RDS/RD Web Access servers and remove or isolate unnecessary services.

Longer-term (1-3 months):
- Transition to Zero Trust architectures that validate every access request dynamically, eliminating the need for public-facing RDP altogether.
- Adopt Privileged Access Workstation (PAW) models to limit the client-side attack surface.
- Review and diversify username generation schemes where possible; in education, where predictable usernames are often unavoidable, double down on MFA and session monitoring.

Detection engineers should look for high-volume, short-duration authentication probes against RD Web or RDP Web Client endpoints from many dispersed IPs that share identical client fingerprints. Other indicators include repeated, low-error attempts where only the username field changes, and measurable differences in response latency between valid and invalid usernames. Even if the attackers avoid lockouts, these patterns are often visible in web server logs and authentication telemetry.

The cybersecurity community has long warned that RDP is a prime target. Between 2020 and 2024, the number of exposed RDP endpoints grew as organizations rushed to enable remote work, often without adequate hardening. According to a Shodan scan in early 2025, there were more than 3 million internet-facing RDP servers. The current campaign demonstrates that attackers are not just scanning for the default port but are increasingly targeting the higher-layer web portals that gate access to RDS farms—services that many organizations mistakenly believe are safe because they sit behind HTTPS.

Bob Rudis, GreyNoise’s head of data science, emphasized that the activity is a “well-orchestrated, multi-wave assault” and that “the rapid escalation from 2,000 to 30,000 IPs suggests a command-and-control infrastructure that can scale on demand.” He urged administrators to “assume that if you have an internet-facing RDP authentication portal, it’s already being probed.”

The campaign raises questions about whether we’re witnessing the early stages of a broader attack chain. Historically, spikes in scanning activity have sometimes presaged the disclosure of a new vulnerability. For example, the BlueKeep vulnerability (CVE-2019-0708) was preceded by a noticeable increase in RDP scanning. Similar patterns were observed before the release of patches for critical Exchange Server flaws. While no zero-day has been identified in connection with this current surge, defenders should monitor Microsoft’s Security Response Center and CISA alerts closely. The concern is that attackers are gathering target lists now, hoping to pair them with a future exploit.

For educational institutions, the timing is particularly fraught. Schools are not only bringing systems online for the new academic year but are also managing a complex mix of legacy applications, student-owned devices, and limited IT staffing. Many rely on RDP to provide virtual lab access and administrative tools to faculty. A successful credential attack could disrupt classes, expose sensitive student records, and trigger costly ransom demands. The FBI and CISA have repeatedly named the education sector as one of the most targeted industries for ransomware, and stolen RDP credentials are a common initial vector.

In response, the Cybersecurity and Infrastructure Security Agency (CISA) has recommended that schools prioritize RDP hardening as part of this year’s back-to-school cybersecurity checklist. Specific guidance includes implementing phishing-resistant MFA, ensuring aggressive patch management, and using threat intelligence feeds to pre-emptively block known malicious IPs. CISA also offers free vulnerability scanning and assessment services to qualifying institutions.

The industry’s immediate takeaway is that perimeter-based security alone is insufficient. Even with an RD Gateway that enforces MFA, timing attacks can still leak username existence. The only true mitigation is to shift from a static, network-based access model to an identity-centric, continuously verified approach. “We’ve known for a decade that exposing any authentication prompt to the internet creates an enumeration risk,” said a principal security architect at Duo Security. “The best practice is to hide it behind a zero trust proxy that can absorb these probes and apply real-time risk analytics.”

Defenders should also scrutinize their logging and monitoring capabilities. Many organizations fail to capture the fine-grained timing data needed to detect sophisticated enumeration. Enabling detailed logging on the RD Web Access IIS instance, the RDP Web Client proxy, and the underlying RDS server can reveal the subtle latency variations that characterize these attacks. Security information and event management (SIEM) systems should be tuned to alert on abnormal response time distributions, not just failed login counts.

While the immediate focus is on the current spate of scans, security professionals warn that the threat landscape is dynamic. The same botnet infrastructure could easily be repurposed to scan for other critical services—VPNs, cloud-based identity providers, or webmail. GreyNoise has already observed similar client signatures probing other Microsoft 365 authentication endpoints, though at a much smaller scale. This suggests that the actor behind this campaign may be actively expanding their target list.

For Windows and RDP administrators, the message is clear: the cost of ignoring this campaign could be a full-on compromise within weeks. The reconnaissance data being assembled today will likely be used for attacks once the attacker deems the list sufficiently complete. As the Petri report concluded, “Organizations should take proactive steps to defend against timing-based enumeration and credential attacks” and that the “surge in malicious IPs targeting Microsoft RDP services” is a threat that “should be treated as high-priority.”

In summary, what began as a spike of 2,000 IPs on August 21 ballooned into a 30,000-strong botnet three days later, all probing RDP web authentication for username enumeration. The campaign is a stark reminder that exposed remote desktop portals—even those behind HTTPS—are a prized target. With schools and universities entering their peak vulnerability window, the time for defensive action is now. Block public exposure, enforce MFA, deploy threat feeds, and move toward Zero Trust before your usernames end up on a criminal’s target list.