Microsoft RDP authentication portal reconnaissance campaign
Campaign
Summary
Hide ▲
Show ▼
A nearly 1,971-IP scanning burst is hitting Microsoft Remote Desktop Web Access and RDP Web Client login portals, increasing the risk of username enumeration and follow-on credential attacks. The activity is far above the usual 3–5 IPs per day baseline, making it a meaningful shift in exposure. A large share of the sources share one client signature, and most of those are already marked malicious. The pattern suggests a coordinated operation with Brazilian-origin sources targeting systems in the United States.
Related Happenings
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
H score30
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Cisco SSL VPN and GlobalProtect credential-probing campaign
Campaign
H score32
First: 18.12.2025 06:10
Last: 18.12.2025 06:10
Sources 1
About this happening:
A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...
Cisco SSL VPN and GlobalProtect credential-probing campaign
CampaignAbout this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...
Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign
Campaign
H score37
First: 06.12.2025 17:18
Last: 06.12.2025 17:18
Sources 1
About this happening:
A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...
Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign
CampaignAbout this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...
Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge
Campaign
H score36
First: 20.11.2025 19:08
Last: 20.11.2025 19:08
Sources 1
About this happening:
A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...
Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge
CampaignAbout this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...
Whisper Leak side-channel analysis on streaming LLM traffic
Technical Analysis
H score25
First: 08.11.2025 16:29
Last: 08.11.2025 16:29
Sources 1
About this happening:
Microsoft disclosed **Whisper Leak**, a side-channel attack that can infer **sensitive prompt topics** from **encrypted TLS traffic** in **streaming LLM conversations**, weakening...
Whisper Leak side-channel analysis on streaming LLM traffic
Technical AnalysisAbout this happening: Microsoft disclosed **Whisper Leak**, a side-channel attack that can infer **sensitive prompt topics** from **encrypted TLS traffic** in **streaming LLM conversations**, weakening...
Timeline
-
26.08.2025 02:43 1 articles · 10mo ago
Coordinated scans probe Microsoft RDP authentication portals
Campaign Scope UpdateNearly 1,971 IP addresses probe Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in a coordinated burst, with 1,851 sharing the same client signature and roughly 92% of those already flagged malicious. The probing focuses on timing flaws that could help verify usernames and support later brute force or password-spray attacks, with sources predominantly from Brazil targeting IPs in the United States.
Show sources
- Surge in coordinated scans targets Microsoft RDP auth servers — www.bleepingcomputer.com — 26.08.2025 02:43
-
26.08.2025 02:43 1 articles · 10mo ago
GreyNoise flags timing-flaw reconnaissance and advises MFA for exposed RDP portals
Initial DisclosureGreyNoise assesses the Microsoft Remote Desktop Web Access and RDP Web Client scan wave as a possible precursor to future credential-based attacks and notes that spikes in malicious traffic can precede newly disclosed vulnerabilities. Windows admins managing exposed RDP portals are advised to enforce multi-factor authentication and, where possible, place RDP behind VPNs.
Show sources
- Surge in coordinated scans targets Microsoft RDP auth servers — www.bleepingcomputer.com — 26.08.2025 02:43