90% of Cyberattacks Utilize Remote Desktop Protocol (RDP)

90% of Cyberattacks Utilize Remote Desktop Protocol (RDP)

Sophos reveals an alarming trend in the cybersecurity world.

In a comprehensive analysis of over 150 incident response (IR) cases managed by the Sophos X-Ops IR team in 2023, it was discovered that cybercriminals are abusing the Remote Desktop Protocol (RDP) in 90% of attacks. This method, commonly used to establish remote access on Windows systems, has become attackers' preferred tool.

What Is Remote Desktop Protocol (RDP)?

RDP allows users to connect to a computer or server remotely. It is a legitimate and useful tool for system administrators and remote workers. However, its misuse by cybercriminals has increased significantly.

Key Findings:

  1. Unprecedented Abuse: 90% of examined attacks involved malicious use of RDP. This figure is the highest since Sophos began compiling Active Adversary Reports in 2021.
  2. Initial Access: External remote services, such as RDP, were the initial access method in 65% of IR cases in 2023. Attackers exploit vulnerabilities in these services to infiltrate networks.
  3. Business Risk: While external remote services are necessary for many companies, they are also risky. Attackers are aware of the dangers and actively seek to compromise them. Exposing services without proper security attention can lead to network compromise.

Enterprise Security Tips:

  • Prioritize RDP Management: Evaluate and secure external remote services. Implement additional controls and monitor their usage.
  • Compromised Credentials and Vulnerabilities: These remain the two most common attack origins. Keep your systems updated and reinforce password security.
  • Real-World Example: In a specific case, attackers compromised a Sophos X-Ops client's network four times in six months, always through exposed RDP ports. The importance of protecting these entry points cannot be underestimated.


Cybersecurity is a critical priority for organizations. The abuse of RDP is a clear signal that we must stay vigilant and take proactive measures to protect our networks. Let's not underestimate the cunning of cybercriminals and work together to stay one step ahead in the fight against attacks.