I Left a Windows Server Open to the Internet for 40 Hours. Here is What Happened.

Building a Cloud Honeypot on Azure to analyze 69,745 real-world cyberattacks.

Adeleye Joshua

~3 min read · February 3, 2026 (Updated: February 3, 2026) · Free: Yes

In cybersecurity, we talk a lot about "Defense in Depth" — Firewalls, MFA, Zero Trust. But as a student training for a career in Security Operations (Blue Team), I realized I had never actually seen what happens when those defenses are missing.

Does it take days for a hacker to find an open server? Do they manually guess passwords? Who are they?

To find out, I built a Honeypot. I deployed a Windows 10 Virtual Machine on Microsoft Azure, deliberately turned off every single security feature, and waited.

Here is the autopsy of the 69,745 attacks that followed.

The Trap (The Setup)

Using my Azure for Students credits, I spun up a standard Windows 10 VM. But instead of securing it, I did the unthinkable.

I went into the Network Security Group (NSG) — essentially the cloud firewall — and created a rule to "Allow All Traffic" on all ports. This exposed the Remote Desktop Protocol (RDP) directly to the public internet.

The "Danger" rule allowing all inbound traffic.

I then connected this VM to Microsoft Sentinel, a cloud-native SIEM (Security Information and Event Management) system. This acted as my "security camera," recording every failed login attempt and mapping the attacker's IP address to a physical location using a custom geolocation database.

The "Oh S**t" Moment

I expected a few random hits. I was wrong.

Within minutes of the server coming online, the logs started populating. In just 40 hours, my Honeypot recorded 69,745 failed login attempts.

The traffic spike: nearly 70k attacks in under two days.

This wasn't a human typing passwords. This was a botnet. At one point, a single IP address from Australia launched 39,336 attempts in just 29 minutes. That is roughly 1,356 attacks per minute.

The Attack Map

Using KQL (Kusto Query Language), I visualized the data to see where these threats were coming from. While I saw traffic from 10 different countries, the volume wasn't distributed evenly.

A massive 91% of all attacks came from just 4 specific IP addresses, indicating highly automated infrastructure scanning the web for easy targets.

My custom KQL query mapping the attacks globally.

What Were They Typing?

This was the most interesting part of the analysis. The bots weren't just guessing "password123." They were cycling through a predefined dictionary of usernames.

I saw attempts for:

ADMINISTRATOR (Standard)
admin (Lowercase)
АДМИНИСТРАТОР (Russian Cyrillic for Administrator)
ADMINISTRATEUR (French)

Top usernames attempted by the bots.

The Blue Team Lesson

This experiment was a wake-up call. My server wasn't "targeted" because I am important. It was targeted because it was there.

The internet is constantly being scanned by automated scripts looking for low-hanging fruit. If you spin up a resource in the cloud and forget to configure the Firewall or NSG, you aren't "safe for a few days." You are compromised in minutes.

For me, this project was the perfect way to get hands-on with Microsoft Sentinel and KQL. Reading about "Threat Intelligence" is one thing; watching a live map of brute-force attacks against your own infrastructure is another level of learning entirely.

#cybersecurity #microsoft-sentinel #cloud-computing #blue-team #cyber-security-awareness