A Long-Abused Feature Gets Overdue Guardrails
Microsoft has quietly shipped a meaningful set of security improvements targeting one of the more insidious phishing vectors in circulation: malicious Remote Desktop connection files, identified by the .rdp extension. The changes, bundled inside the April 2026 cumulative updates, aim to curtail campaigns that have grown increasingly sophisticated over recent years.
RDP files are a staple in enterprise IT environments. Administrators use them to preconfigure connections to remote systems, and one of their most convenient features is the ability to automatically redirect local resources — including drives, clipboards, and authentication devices — to the remote host. Unfortunately, that same convenience has made them an attractive weapon for threat actors operating phishing campaigns.
How Attackers Have Exploited RDP Files
When a victim receives a malicious RDP file via phishing email and opens it, their machine silently establishes a connection to an attacker-controlled server. Once connected, local resources are redirected to that server, giving the attacker potential access to files and credentials stored on disk. Beyond file theft, attackers can also harvest clipboard data — such as copied passwords or sensitive text — and even redirect authentication mechanisms like smart cards or Windows Hello to impersonate victims.
The Russian state-sponsored hacking group APT29 is among the most notable threat actors to have weaponized this technique, having previously used rogue RDP files in campaigns designed to remotely steal data and credentials from targeted individuals and organizations.
"Malicious actors misuse this capability by sending RDP files through phishing emails. When a victim opens the file, their device silently connects to a server controlled by the attacker and shares local resources, giving the attacker access to files, credentials, and more." — Microsoft
What the April 2026 Updates Change
The new protections are included in three specific cumulative updates released in April 2026:
- KB5082200 — for Windows 10
- KB5083769 — for Windows 11
- KB5082052 — for Windows 11
After applying these updates, the Windows experience for opening RDP files changes in two key ways.
First-Time Educational Prompt
The first time a user opens an RDP file following the update, Windows displays a one-time educational dialog. This prompt explains what RDP files are, outlines the associated risks, and asks the user to acknowledge that they understand those risks before proceeding. Once the user clicks OK, the educational dialog will not appear again for subsequent RDP file openings.
Persistent Security Dialog on Every Connection Attempt
Going forward, every attempt to open an RDP file will trigger a security dialog before any connection is established. This dialog surfaces three critical pieces of information:
- Whether the RDP file has been digitally signed by a verified publisher
- The address of the remote system the file intends to connect to
- A full list of local resource redirections the file is requesting — such as drives, clipboard access, or peripheral devices — with every option disabled by default
If the RDP file is not digitally signed, Windows prominently displays a "Caution: Unknown remote connection" warning and labels the publisher as unknown, signaling that there is no way to verify who created the file. Even when a file does carry a digital signature, Windows continues to urge users to verify the publisher's legitimacy before proceeding with the connection.
Scope and Limitations
It is important to note that these new protections specifically apply to connections initiated by opening RDP files directly. They do not affect connections made through the standard Windows Remote Desktop client application. Users and administrators who rely on the built-in client rather than standalone RDP files will not see the new dialogs.
Administrator Override Option
Microsoft has provided a mechanism for administrators who need to temporarily disable these protections in managed environments. By navigating to the registry key HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client and modifying the RedirectionWarningDialogVersion value to 1, administrators can suppress the new warning dialogs. However, given the well-documented history of RDP file abuse in real-world attacks, Microsoft strongly recommends keeping these protections enabled wherever possible.
Why This Matters
The addition of default-off resource redirections is particularly significant. In previous configurations, an unsuspecting user who opened a malicious RDP file might unwittingly hand an attacker full access to their local drives and clipboard without any visible indication that something was amiss. The new dialogs force transparency at the moment of connection, making it far harder for phishing campaigns to silently exploit this functionality.
With APT29 and other sophisticated actors continuing to incorporate RDP-based lures into their toolkits, these platform-level protections represent a meaningful step toward reducing the attack surface for both enterprise users and everyday Windows consumers.
Source: BleepingComputer