Microsoft adds Windows protections against malicious Remote Desktop files

Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection files, adding warnings and disabling risky shared resources Remote Desktop Protocol files are commonly used in enterprise environments to connect to remote systems because administrators can preconfigure them to automatically redirect local resources to the remote host. Threat actors have increasingly abused this functionality in phishing campaigns, with state-sponsored hacking groups using rogue RDP files to remotely steal data and credentials. When opened, malicious RDP files can connect to attacker-controlled systems and redirect local drives to the connected device, allowing attackers to steal files and credentials stored on disk. They can also capture clipboard data such as passwords or redirect authentication mechanisms to impersonate users. As part of the April 2026 cumulative updates for Windows 10 and Windows 11, Microsoft has released new protections to prevent malicious RDP connection files from being used on devices. When users open an RDP file for the first time after installing the update, a one-time educational prompt explains what RDP files are and warns about their risks. Future attempts to open RDP files will display a security dialog before any connection is made. This dialog shows whether the RDP file is signed If a file is not digitally signed, Windows displays a 'Caution: Unknown remote connection' warning and labels the publisher as unknown. If the RDP file is digitally signed, Windows displays the publisher but still warns users to verify their legitimacy before connecting. The new protections apply only to connections initiated