85% of Cyberattacks Exploit RDP to Infiltrate Networks

Ransomware is evolving toward faster, more targeted data-extortion models where encryption is no longer the primary objective.

According to our 2026 cybersecurity outlook, crypto-ransomware will gradually give way to patterns that prioritize data exfiltration and extortion based on the victim’s reputation. Attacks thus become less about technical choreography and, paradoxically, even swifter.

But this shift also has a direct consequence: attackers’ attention moves from the initial breach to lateral movement inside the network. In this context, internal, widely used tools that appear “trustworthy,” such as the Remote Desktop Protocol (RDP), have become among the most effective means to move laterally.

Google Threat Intelligence (GTIG) data show that RDP features in 85% of these attacks, underscoring a clear trend: attackers are abandoning complex malware in favor of “living off the land,” that is, leveraging legitimate tools to stay hidden.

Also read: EDR Killers: industrialized evasion, the foundation of ransomware attacks

This means the question is no longer only about how attackers break in, but especially about what they do once they are inside.

RDP: a discreet threat vector

RDP is a reliable tool, widely used to allow employees to access their work environments remotely, and it is also employed by IT administrators and managed service providers (MSPs) for device management and support.

Precisely because it is deeply embedded in the everyday workflows of businesses, it has become a favored attack vector: it lets attackers blend into the regular traffic of the organization, often remaining undetected for long periods during which they can cause substantial damage.

Cybercriminals exploit RDP to:

Elevate their privileges using compromised credentials.
Move discreetly between different systems.
Prepare data thefts or launch attacks without triggering obvious alerts.

For MSPs, the challenge is even greater. They must learn to distinguish legitimate sessions from malicious activity across varied environments where RDP is often part of daily operations.

The real challenge: spotting danger in ordinary activity

For MSPs managing countless endpoints and clients, most daily actions appear normal: remote logins, data transfers, and configuration changes. It is precisely this “normal” behavior that cybercriminals seek to exploit, making detection far more difficult.

If they manage to hide within legitimate processes, they can move through networks undetected and inflict substantial damage.

Also read: Cyberattacks: French companies better prepared but still under pressure

This creates a new challenge: distinguishing legitimate sessions from unauthorized behaviors in an environment where the two appear nearly identical. The task can become overwhelming, especially for MSPs already flooded with alerts, diminishing operational efficiency and slowing response times.

Solving this requires a more structured strategy, focused on:

Continuous endpoint monitoring, with behavioral threat detection and clear visibility into incidents.
Multifactor authentication (MFA) extended to all critical access, including Windows logons and RDP connections, to prevent a compromised credential from moving laterally through the network.
Event correlation, turning isolated data into actionable alerts.
Prioritizing incidents by real risk level, so teams focus on the most significant threats.

Adopting this model enables teams to identify anomalies hiding behind “normal” activity, reduce noise, and significantly improve their response capabilities.

How to detect and halt lateral movement in practice

AI-powered EDR solutions address this challenge by combining prevention, detection, and response within a single platform. Yet the real change isn’t limited to threat detection alone; it also lies in the ongoing visibility and behavioral context they provide to MSPs, enabling them to better protect their clients and grow their business.

Concretely, this means:

Complete visibility across endpoints, unifying telemetry from processes, connections, and users, along with root-cause analysis to understand the origin and scope of threats.
Lateral movement detection, including unusual RDP connections, credential manipulation, and suspicious login patterns, with alert mapping to the MITRE ATT&CK framework.
Automated incident correlation, linking multiple events to reconstruct the full attack scenario, helping teams focus their efforts and reducing alert fatigue.
Endpoint isolation and response, with quarantine of devices and stopping of suspicious processes, supported by remote analysis and remediation tools.
Multi-tenant consoles to enhance operational efficiency, allowing MSPs to manage more clients without increasing complexity or costs.

Visibility and context: the new line of defense

It is no accident that 85% of cyberattacks leverage RDP. This underscores how criminals operate today: by using legitimate tools to stay unseen.

The more an attack resembles normal activity, the harder it is for an organization to detect, and the more likely it is to succeed.

Also read: EDR at CHRU de Brest: deployment explained by its CISO

This is the true challenge for MSPs. Endpoint security is no longer limited to prevention; it now relies on clear visibility and behavioral context that enable faster, more precise detections, paired with immediate response capabilities.

Adopting this model does not merely neutralize lateral movement; it also helps build security operations that are more effective, scalable, and resilient in the face of today’s evolving threats.