Microsoft adds Windows protections for malicious Remote Desktop files

Key Points:

• Microsoft has introduced new security features in the April 2026 cumulative updates for Windows 10 and 11 to protect against phishing attacks exploiting Remote Desktop Protocol (RDP) connection files.
• These updates add a one-time educational prompt explaining RDP file risks and require user acknowledgment before opening such files, followed by a security dialog showing file signatures, remote addresses, and disabled local resource redirections by default.
• Unsigned RDP files trigger a caution warning about unknown publishers, while signed files display the publisher but still advise users to verify legitimacy before connecting.
• The new protections apply only to RDP connections initiated by opening .rdp files, not to those made through the Remote Desktop client, and administrators can temporarily disable these warnings via a registry setting, though Microsoft strongly recommends keeping them enabled.
• This move addresses increasing abuse of RDP files by threat actors, including state-sponsored groups like Russia's APT29, who use them to steal data, credentials, and impersonate users through redirected local resources.