Microsoft has launched new Home windows protections to defend towards phishing assaults that abuse Distant Desktop connection (.rdp) information, including warnings and disabling dangerous shared assets by default.
RDP information are generally utilized in enterprise environments to connect with distant techniques as a result of admins can preconfigure them to mechanically redirect native assets to the distant host.
Menace actors have more and more abused this performance in phishing campaigns. The Russian state-sponsored APT29 hacking group has beforehand used rogue RDP information to remotely steal information and credentials from victims.
When opened, these information can hook up with attacker-controlled techniques and redirect native drives to the linked system, permitting the attacker-controlled system to steal information and credentials saved on disk.
They’ll additionally seize clipboard information, corresponding to passwords or delicate textual content, or redirect authentication mechanisms like sensible playing cards or Home windows Hey to impersonate customers
New RDP protections roll out
As a part of the April 2026 cumulative updates for Home windows 10 (KB5082200) and Home windows 11 (KB5083769 and KB5082052), Microsoft has now launched new protections to forestall malicious RDP connection information from getting used on gadgets.
“Malicious actors misuse this functionality by sending RDP information by means of phishing emails,” warns Microsoft.
“When a sufferer opens the file, their system silently connects to a server managed by the attacker and shares native assets, giving the attacker entry to information, credentials, and extra.”
After putting in this replace, when customers open an RDP file for the primary time, a one-time instructional immediate is proven that explains what RDP information are and warns about their dangers. Home windows customers will then be prompted to acknowledge that they perceive the dangers and press OK, which is able to stop the alert from being proven once more.
Supply: Microsoft
Future makes an attempt to open RDP information will now show a safety dialog earlier than any connection is made.
This dialog reveals whether or not the RDP file is signed by a verified writer, the distant system’s deal with, and lists all native useful resource redirections, corresponding to drives, clipboard, or gadgets, with each possibility disabled by default.
If a file shouldn’t be digitally signed, Home windows shows a “Warning: Unknown distant connection” warning and labels the writer as unknown, indicating there isn’t any approach to confirm who created the file.
Supply: Microsoft
If the RDP file is digitally signed, Home windows will show the writer, however nonetheless warn you to confirm their legitimacy earlier than connecting.
It ought to be famous that these new protections apply solely to connections initiated by opening RDP information, to not these made by means of the Home windows Distant Desktop shopper.
Microsoft says that Directors can briefly disable these protections by going to the HKLMSoftwarePoliciesMicrosoftWindows NTTerminal ServicesClient Registry key and modifying the RedirectionWarningDialogVersion worth so it’s set to 1.
Nevertheless, as RDP information have traditionally been abused in assaults, it’s strongly really helpful to maintain these protections enabled.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and gives practitioners with three diagnostic questions for any instrument analysis.
