Remote Desktop Protocol (RDP) files are commonly used within enterprise environments to streamline connections to remote systems. Administrators can preconfigure these files to automatically redirect local resources to the remote host. However, threat actors have increasingly exploited this functionality in phishing campaigns. The Russian state-sponsored APT29 hacking group has previously utilized malicious RDP files to remotely exfiltrate data and credentials from victims. When opened, these malicious files connect to attacker-controlled systems and redirect local drives, granting unauthorized access to files and credentials stored on the disk. Attackers can also intercept clipboard data, such as passwords and sensitive text, or redirect authentication mechanisms like smart cards or **Windows** Hello to impersonate users. ## New RDP Protections Roll Out As part of the April 2026 cumulative updates for **Windows** 10 (KB5082200) and **Windows** 11 (KB5083769 and KB5082052), **Microsoft** has introduced new protections designed to prevent the exploitation of malicious RDP connection files. "Malicious actors misuse this capability by sending RDP files through phishing emails," warns **Microsoft**. "When a victim opens the file, their device silently connects to a server controlled by the attacker and shares local resources, giving the attacker access to files, credentials, and more." After installing the update, users will encounter a one-time educational prompt upon opening an RDP file for the first time. This prompt explains the nature of RDP files and highlights potential risks. Users must acknowledge that they understand the risks to proceed, preventing the alert from appearing again.  Future attempts to open RDP files will trigger a security dialog before any connection is established. This dialog displays information about whether the RDP file is signed by a verified publisher, the remote system's address, and lists all local resource redirections (drives, clipboard, devices), with every option disabled by default. If a file lacks a digital signature, **Windows** displays a “Caution: Unknown remote connection” warning, indicating that the publisher cannot be verified.  Even if the RDP file is digitally signed, **Windows** will display the publisher but still advise users to verify their legitimacy before connecting. These new protections apply exclusively to connections initiated by opening RDP files, and not to connections made directly through the **Windows** Remote Desktop client. Administrators can temporarily disable these protections by modifying the **RedirectionWarningDialogVersion** value in the **HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client** Registry key, setting it to **1**. However, given the historical abuse of RDP files in attacks, maintaining these protections is strongly recommended.