Rdp Legacy Plaintext Authentication Attempt

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

Observed IPs

267

Avg Confidence

76%

Severity

medium

Top IPs by event countRDP

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
71.6.199.23	100%	3,623	1,855	🇺🇸 US	AS10439	2026-03-09
80.66.83.43	100%	3,141	2,710	🇷🇺 RU	AS216473	2026-03-09
167.94.138.191	30%	3,100	1,680	🇺🇸 US	AS398324	2026-03-10
162.142.125.121	30%	2,954	1,650	🇺🇸 US	AS398324	2026-03-10
167.94.146.55	30%	2,855	1,670	🇺🇸 US	AS398705	2026-03-10
80.82.77.139	100%	2,834	1,631	🇳🇱 NL	AS202425	2026-03-09
66.132.153.120	100%	2,819	1,592	🇺🇸 US	AS398324	2026-03-10
162.142.125.118	30%	2,755	1,677	🇺🇸 US	AS398324	2026-03-10
80.82.77.33	100%	2,691	1,540	🇳🇱 NL	AS202425	2026-03-10
167.94.146.62	30%	2,686	1,603	🇺🇸 US	AS398705	2026-03-10
86.54.31.32	100%	2,663	1,413	🇨🇦 CA	AS12989	2026-03-09
162.142.125.123	30%	2,652	1,591	🇺🇸 US	AS398324	2026-03-10
66.132.153.123	100%	2,623	1,623	🇺🇸 US	AS398324	2026-03-10
167.94.146.61	30%	2,607	1,466	🇺🇸 US	AS398705	2026-03-09
162.142.125.223	30%	2,583	1,427	🇺🇸 US	AS398324	2026-03-09
167.94.138.181	30%	2,534	1,439	🇺🇸 US	AS398324	2026-03-09
167.94.146.63	30%	2,528	1,447	🇺🇸 US	AS398705	2026-03-09
167.94.138.184	30%	2,524	1,509	🇺🇸 US	AS398324	2026-03-10
167.94.138.187	30%	2,513	1,509	🇺🇸 US	AS398324	2026-03-10
162.142.125.124	30%	2,502	1,474	🇺🇸 US	AS398324	2026-03-10