Microsoft has taken significant steps to enhance the security of its Windows operating systems by introducing new protections against phishing attacks that exploit Remote Desktop Protocol (RDP) connection files. These .rdp files, often utilized in enterprise settings for seamless connections to remote systems, have become a target for malicious actors who leverage their functionality to compromise sensitive data.
In recent years, cybercriminals, including state-sponsored groups like APT29 from Russia, have increasingly weaponized RDP files in their phishing campaigns. When these files are opened, they can connect to servers controlled by attackers, enabling unauthorized access to local drives, credentials, and other sensitive information. This capability allows attackers to not only steal files but also capture clipboard data, potentially exposing passwords and other confidential text.
New RDP protections roll out
In response to these growing threats, Microsoft has rolled out new security measures as part of the April 2026 cumulative updates for Windows 10 and Windows 11. These updates, identified as KB5082200, KB5083769, and KB5082052, aim to prevent the misuse of RDP connection files by implementing several key features.
Upon the first opening of an RDP file, users will encounter a one-time educational prompt detailing what RDP files are and the associated risks. This prompt requires users to acknowledge their understanding of the potential dangers before proceeding, ensuring that they are informed about the implications of their actions.
Source: Microsoft
Subsequent attempts to open RDP files will trigger a security dialog that provides critical information before any connection is established. This dialog will indicate whether the RDP file is signed by a verified publisher, display the address of the remote system, and list all local resource redirections—such as drives and clipboard—while keeping all options disabled by default.
If an RDP file lacks a digital signature, Windows will present a “Caution: Unknown remote connection” warning, clearly marking the publisher as unverified. Conversely, if the file is digitally signed, users will see the publisher’s name but will still be advised to verify its legitimacy prior to connecting.
Source: Microsoft
It is important to note that these new protections specifically apply to connections initiated through RDP files and do not extend to those made via the Windows Remote Desktop client. For administrators who wish to temporarily disable these protections, modifications can be made in the Windows Registry. However, given the historical abuse of RDP files in cyberattacks, it is strongly advised to keep these safeguards enabled to protect sensitive information.
