Coordinated RDP Scans Seek Username Enumeration, Raising Intrusion Risks

GreyNoise has reported a sharp increase in scanning activity targeting Microsoft Remote Desktop (RDP) services, with activity first observed on August 21, 2025. According to their analysis, "Nearly 2,000 IPs — the vast majority previously observed and tagged as malicious, simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions." This marks a noticeable shift from the normal baseline of just 3–5 IPs per day. Only a few days later, on August 24, GreyNoise identified an even larger spike, with more than 30,000 unique IPs engaging in the same scanning behavior, indicating a widespread and coordinated campaign.

The bulk of the activity appears to originate from Brazil, with U.S.-based systems as the primary target. GreyNoise observed that 1,851 of the 1,971 IPs from the August 21 event shared the same client signature, with approximately 92% already classified as malicious. This uniformity suggests the use of a single botnet or specialized toolset designed to map RDP authentication portals and test for subtle flaws in response times. The research also indicates partial overlap between this RDP scanning activity and separate waves of proxy scanning observed in late July and early August, hinting at multipurpose attacker infrastructure.

The timing of this surge is notable. GreyNoise emphasized, "August 21 sits squarely in the US back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts." This seasonal exposure increases risks, as educational environments often rely on predictable username formats and may prioritize accessibility over hardened security during enrollment periods. Such reconnaissance could pave the way for brute force, password spraying, or credential-stuffing attacks. Moreover, GreyNoise warns that spikes of this kind often precede the disclosure or exploitation of new vulnerabilities, citing historic precedents such as the BlueKeep RDP flaw.

The current wave of RDP scanning represents more than casual probing, it is coordinated enumeration that attackers could reuse for espionage, ransomware deployment, or mass exploitation. Organizations with exposed RDP portals are advised to enforce multi-factor authentication, place systems behind VPNs, and monitor for abnormal login behavior. Without mitigation, attackers may already be building valid-user lists that can improve the success of future intrusion campaigns.