Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft RDP authentication portal reconnaissance campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A nearly 1,971-IP scanning burst is hitting Microsoft Remote Desktop Web Access and RDP Web Client login portals, increasing the risk of username enumeration and follow-on credential attacks. The activity is far above the usual 3–5 IPs per day baseline, making it a meaningful shift in exposure. A large share of the sources share one client signature, and most of those are already marked malicious. The pattern suggests a coordinated operation with Brazilian-origin sources targeting systems in the United States.

Related Happenings

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Open Happening

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
First: 06.12.2025 17:18 Last: 06.12.2025 17:18 Sources 1

About this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...

Open Happening

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Open Happening

Whisper Leak side-channel analysis on streaming LLM traffic

Technical Analysis
First: 08.11.2025 16:29 Last: 08.11.2025 16:29 Sources 1

About this happening: Microsoft disclosed **Whisper Leak**, a side-channel attack that can infer **sensitive prompt topics** from **encrypted TLS traffic** in **streaming LLM conversations**, weakening...

Open Happening

Multi-country botnet RDP reconnaissance campaign targeting U.S. services

Campaign
First: 13.10.2025 21:05 Last: 13.10.2025 21:05 Sources 1

About this happening: A **multi-country botnet** launched a **large-scale RDP reconnaissance campaign** against **U.S. services**, using **timing attacks** and **login enumeration** to infer valid acco...

Open Happening

Timeline

  1. 26.08.2025 02:43 1 articles · 9mo ago

    Coordinated scans probe Microsoft RDP authentication portals

    Campaign Scope Update

    Nearly 1,971 IP addresses probe Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in a coordinated burst, with 1,851 sharing the same client signature and roughly 92% of those already flagged malicious. The probing focuses on timing flaws that could help verify usernames and support later brute force or password-spray attacks, with sources predominantly from Brazil targeting IPs in the United States.

    Show sources
    Open in new tab
  2. 26.08.2025 02:43 1 articles · 9mo ago

    GreyNoise flags timing-flaw reconnaissance and advises MFA for exposed RDP portals

    Initial Disclosure

    GreyNoise assesses the Microsoft Remote Desktop Web Access and RDP Web Client scan wave as a possible precursor to future credential-based attacks and notes that spikes in malicious traffic can precede newly disclosed vulnerabilities. Windows admins managing exposed RDP portals are advised to enforce multi-factor authentication and, where possible, place RDP behind VPNs.

    Show sources
    Open in new tab