Internet intelligence firm GreyNoise reports that it has recorded a significant spike in scanning activity consisting of nearly 1,971 IP addresses probing Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in unison, suggesting a coordinated reconnaissance campaign. The researchers say that this is a massive change in activity, with the company usually only seeing 3–5 IP addresses a day performing this type of scanning. GreyNoise says that the wave in scans is testing for timing flaws that could be used to verify usernames, setting up future credential-based attacks, such as brute force or password-spray attacks. GreyNoise also says that 1,851 shared the same client signature, and of those, approximately 92% were already flagged as malicious. The IP addresses predominantly originate from Brazil and targeted IP addresses in the United States, indicating it may be a single botnet or toolset conducting the scans. The researchers say that the timing of the attack coincides with the US back-to-school season, when schools and universities may be bringing their RDP systems back online. However, the surge in scans could also indicate that a new vulnerability may have been found, as GreyNoise has previously found that spikes in malicious traffic commonly precede the disclosure of new vulnerabilities. Windows admins managing RDP portals and exposed devices should make sure their accounts are properly secured with multi-factor authentication, and if possible, place them behind VPNs.