Cybersecurity researchers are warning of a massive campaign targeting Microsoft Remote Desktop Protocol (RDP) — a tool many small and mid-sized businesses rely on for remote access. Attackers are using over 30,000 new IP addresses every day to exploit timing-based vulnerabilities and gain access to systems across the United States.

Since September 2025, this campaign has used more than 500,000 unique IPs, making it one of the largest RDP attacks ever observed.

How the Attack Works

The botnet behind these attacks constantly changes IP addresses to stay hidden and avoid traditional firewalls or blocklists. Once inside a network, attackers can steal data, deploy ransomware, or move laterally across systems.

Two key vulnerabilities are being exploited:

• Timing-based authentication attacks – hackers measure tiny response delays to learn if a username or password is valid.
• Login enumeration checks – automated scripts test credentials to find valid accounts.

Because the activity looks like normal RDP traffic, many intrusion detection systems never raise an alert.

Why SMBs Should Be Concerned

RDP remains a favorite target for cybercriminals because it gives them a direct doorway into your business systems. Once they gain access, they can shut down operations, lock files, or steal sensitive information.

Even if you keep software patched and use strong passwords, these automated attacks are so large and fast that manual IP blocking can’t keep up. Attackers simply switch to a new address and continue their attempts.

For SMBs with limited IT resources, defending against thousands of new probes daily can feel impossible — but there are ways to protect yourself before damage occurs.

What You Can Do Right Now

Here are quick steps every small business should take to reduce RDP risks:

1. Restrict RDP Access: Never leave RDP open to the public internet. Require VPN or gateway access for remote connections.
2. Use Multi-Factor Authentication (MFA): Add an extra layer of verification to stop attackers who guess or steal passwords.
3. Limit Admin Privileges: Only give RDP rights to users who absolutely need them.
4. Monitor Logs: Look for repeated failed logins or unknown IP addresses.
5. Update Systems Regularly: Keep your servers and operating systems patched to close known holes.

Go Beyond Detection with Application Allowlisting

Traditional antivirus and IP blocking focus on detecting threats after they appear. But when attackers rotate tens of thousands of IPs a day, reaction-based tools can’t keep up.

That’s where PC Matic’s application allowlisting makes a difference. Instead of trying to recognize what’s bad, allowlisting blocks everything that isn’t explicitly approved.

If an attacker gains access through RDP and tries to run a new tool or ransomware file, it won’t execute — because it’s not on the allowlist. This simple rule stops attacks before they start.

Key benefits for SMBs:

• Only trusted programs can run on your systems.
• Ransomware and unknown executables are automatically blocked.
• Centralized control lets IT staff easily approve legitimate software.

Allowlisting flips the cybersecurity model from “detect and respond” to “block and verify.” It’s a smarter, more proactive defense that’s well-suited for small businesses.

Stay Ahead of the Threat

This RDP campaign shows how quickly attackers adapt. By rotating IPs and exploiting subtle timing flaws, they can bypass traditional security layers and quietly test your defenses.

For SMBs, the solution is to combine good security hygiene — like MFA, limited access, and patching — with proactive protection that prevents unauthorized software from ever running.

With PC Matic’s allowlisting, you don’t have to chase every new IP address or worry about which threat slipped through. Unknown applications are stopped automatically, keeping your business safe even as cyber threats evolve daily.