Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft RDP authentication portal reconnaissance campaign

Campaign
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

A nearly 1,971-IP scanning burst is hitting Microsoft Remote Desktop Web Access and RDP Web Client login portals, increasing the risk of username enumeration and follow-on credential attacks. The activity is far above the usual 3–5 IPs per day baseline, making it a meaningful shift in exposure. A large share of the sources share one client signature, and most of those are already marked malicious. The pattern suggests a coordinated operation with Brazilian-origin sources targeting systems in the United States.

Related Happenings

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Trend
H score30 First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
H score32 First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
H score37 First: 06.12.2025 17:18 Last: 06.12.2025 17:18 Sources 1

About this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
H score36 First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Whisper Leak side-channel analysis on streaming LLM traffic

Technical Analysis
H score25 First: 08.11.2025 16:29 Last: 08.11.2025 16:29 Sources 1

About this happening: Microsoft disclosed **Whisper Leak**, a side-channel attack that can infer **sensitive prompt topics** from **encrypted TLS traffic** in **streaming LLM conversations**, weakening...

Timeline

  1. 26.08.2025 02:43 1 articles · 10mo ago

    Coordinated scans probe Microsoft RDP authentication portals

    Campaign Scope Update

    Nearly 1,971 IP addresses probe Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in a coordinated burst, with 1,851 sharing the same client signature and roughly 92% of those already flagged malicious. The probing focuses on timing flaws that could help verify usernames and support later brute force or password-spray attacks, with sources predominantly from Brazil targeting IPs in the United States.

    Show sources
  2. 26.08.2025 02:43 1 articles · 10mo ago

    GreyNoise flags timing-flaw reconnaissance and advises MFA for exposed RDP portals

    Initial Disclosure

    GreyNoise assesses the Microsoft Remote Desktop Web Access and RDP Web Client scan wave as a possible precursor to future credential-based attacks and notes that spikes in malicious traffic can precede newly disclosed vulnerabilities. Windows admins managing exposed RDP portals are advised to enforce multi-factor authentication and, where possible, place RDP behind VPNs.

    Show sources