Identifies RDP clients attempting authentication using Network Level Authentication (NLA) with the NTLM challenge-response protocol. This occurs during the CredSSP negotiation phase before a remote desktop session is established and indicates an active credential authentication attempt against the RDP service

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.