Milacious Website Blocked (91.241.19.173:3389)

[WORKS2016]

I've been seeing more and more attacks against RDP sessions recently and I've also seen it get far enough that someone has gained access to the desktop at the logon screen. I know the IP address, as mentioned in the Title and the IP. What I'd like to find out is where the attack is originating from on clients computers. Is it coming from an email they opened, a website they went to, etc. I was allowing RDP connection through the firewall on different ports until I noticed the possible attacker being at the logon screen. Now everyone makes a VPN connection first before RDP.

Does anyone know how this attack is being initiated. After making users create a VPN connection they're are still showing active attacks. I'd like to pinpoint where they are coming from.

[AndrewPP]

Use a service like this to look up DNS records - https://www.findip-address.com/  you will find it originates from Russia.

Or - Google 
who is 91.241.19.173

https://www.abuseipdb.com/check/91.241.19.173

You may need to use Intrusion Detection network monitoring and firewall port monitoring to investigate at an IP Packet level, how the traffic is entering your network.

If all of your endpoints only use VPN to connect, then you will need to track down SourceIP, maybe by the VPN server's logs to find the compromised endpoint. 

These topics are beyond the scope of Malwarebytes products and you may need to enlist some expert assistance from a network specialist or penetration tester.