Back to class, back to attacks: What schools must know about RDP probing

As the new school year begins, classrooms aren’t the only places buzzing with activity, so are cyber attackers. Schools are increasingly on the frontlines of cybercrime, and this back-to-school season has brought an alarming surge in malicious probing of Microsoft Remote Desktop Protocol (RDP) services.

On August 21, 2025, GreyNoise detected a dramatic escalation: nearly 2,000 unique IP addresses (most already flagged as malicious) simultaneously probed RD Web Access and RDP Web Client portals with the same client signature. Just days later, that activity exploded, with more than 30,000 different IPs escalating their scans. For schools, this isn’t just another abstract cybersecurity headline—it’s a direct warning sign.

Why this matters to schools now?

The timing of this surge is concerning. As districts across the U.S. return to school, IT systems are stretched to their limits: thousands of students are onboarded, new staff accounts are created, and remote labs and help desk systems—many of which rely on RDP—are activated for the first time since summer break. This flurry of activity creates a fertile ground for attackers looking to take advantage of inevitable misconfigurations or rushed deployments.

What makes schools particularly vulnerable is the predictability of account structures. Student logins often follow simple, guessable formats like IDs or firstname.lastname combinations. Enumeration tools thrive in this environment, exploiting even small timing differences in login workflows to determine which usernames are valid. With that information in hand, attackers are one step closer to brute-forcing or phishing their way into school systems.

At the same time, the resource constraints facing K-12 districts make these risks harder to manage. IT teams are often understaffed and underfunded, especially in the first hectic weeks of school when the pressure is on to prioritize access and availability over security hardening. Remote Desktop services can be left exposed to the open internet—an easy but risky shortcut that attackers know to watch for.

Finally, the education sector is already a prime target. According to Microsoft’s Threat Intelligence, schools and universities endure thousands of cyberattack attempts every single week, ranking education among the most frequently attacked industries worldwide. When threat actors coordinate massive scanning campaigns like the one observed in August, schools are almost certainly among the intended victims.

What school IT administrators should do

1. Immediate hardening of RDP services
Audit and restrict public exposure: RDP endpoints like Web Access and Web Client should ideally be behind VPNs or firewalls – not directly internet-facing. Block or rate-limit scans from malicious IPs.

2. Accelerate access security
Enforce Multi-Factor Authentication (MFA) for all RDP and remote access. Implement account lockout thresholds and monitor suspicious use patterns. Use strong, non-predictable usernames or alias formats during deployment.

3. Monitor and log RDP activity
Watch for high-volume probes or consistent timing-attack indicators. Set up alerts for unusual authentication workflows that diverge from the norm. Leverage automated threat monitoring—something your risk pool or consortium might facilitate.

4. Educate staff and users
Conduct training on social engineering and remote access hygiene. Alert staff to phishing campaigns disguised as IT or student portals. Include students in awareness, particularly those using BYOD in remote labs.

5. Adopt proactive prevention measures
The surge in RDP probing highlights the importance of moving from a reactive stance to a proactive one. For schools, that starts with visibility: knowing exactly which systems are exposed and how attackers might exploit them. From there, it’s about prioritization—focusing first on the vulnerabilities and misconfigurations most likely to be targeted, rather than spreading limited resources too thin. Finally, it means turning insight into action by patching, hardening, or segmenting where needed.

A call to action: Build resilience this school year

As schools gear up for a new academic year, this surge in RDP probing is a critical reminder: attackers are watching when infrastructure changes, leveraging predictable setups, and exploiting limited defenses.

For school IT teams, the message is clear: harden RDP now, monitor intelligently, and train continuously. But doing so in the face of limited budgets and staffing requires more than awareness – it calls for clarity on where risks truly lie and confidence in what to address first. Risk pools can play a key role in supporting this shift by helping members benchmark their exposure, share threat intelligence across districts, and build a clear roadmap for resilience. With this collective approach, schools aren’t just reacting to the latest wave of malicious activity – they’re one step ahead of it.