๐Ÿ”‘ IAM

Microsoft Closes APT29's Favourite Phishing Door With New RDP File Protections

The April 2026 Windows update introduces mandatory security warnings and redirections-blocked-by-default for RDP connection files, directly countering the technique used by APT29 and other threat actors to silently redirect local drives and harvest credentials. Organisations using Windows 10 and 11 should confirm the KB is deployed.

4 min read
#rdp#windows#phishing#apt29#remote-desktop#microsoft#access-control#credential-theft#patch-tuesday

Microsoft has shipped a significant defensive change in the April 2026 cumulative updates for Windows 10 and Windows 11 that directly addresses a phishing technique documented in campaigns by APT29 and other advanced threat actors: malicious .rdp files that establish connections to attacker-controlled systems and silently redirect local drives, clipboard, and devices.

The change, included in Windows 11 KB5083769 and KB5082052 and Windows 10 KB5082200, means that opening an RDP file now triggers a security dialogue showing the remote systemโ€™s address, whether the file carries a verified digital signature, and an explicit list of all requested local resource redirections โ€” with all redirections disabled by default.

The Attack This Closes

Remote Desktop Protocol files are plaintext configuration documents that specify connection parameters including the remote host, display settings, and, critically, which local resources should be shared with the remote session. A malicious .rdp file can request access to local drives, clipboard contents, cameras, microphones, printers, smart card readers, and other peripherals.

APT29 โ€” the Russian Foreign Intelligence Service-linked threat group โ€” exploited this in spear-phishing campaigns by attaching or linking to .rdp files that, when opened, connected victims to infrastructure under the groupโ€™s control. Because Windows previously applied no default prompting for redirections requested in .rdp files, the connection would proceed silently, granting the attackerโ€™s system access to whatever resources the file requested. Credential material stored in files, clipboard content, and data accessible through redirected drives were all reachable without any further user interaction.

The technique was notable precisely because it exploited legitimate Windows functionality โ€” no vulnerability was required โ€” and because the victim saw only the standard Remote Desktop connection prompt, with no indication of which local resources were being shared.

What Changes With the April 2026 Update

The new security dialogue surfaces information that Windows previously left implicit. Before any connection is made, the user now sees:

  • Whether the .rdp file was signed by a verified publisher โ€” unsigned files receive a โ€œCaution: Unknown remote connectionโ€ warning
  • The address of the remote system the file will connect to
  • A complete list of all redirections the file requests (drives, clipboard, devices), with each redirection individually enumerated and disabled by default

A user must explicitly enable each requested redirection before the connection proceeds. Files signed by a verified publisher receive a standard connection prompt; files with an unknown publisher receive a prominent caution label.

An important limitation: the new protections apply only to connections initiated by opening .rdp files. Connections made directly through the Windows Remote Desktop client application are not affected.

Deployment Verification

The April 2026 Patch Tuesday updates are mandatory, meaning systems configured for automatic updates will receive them. However, organisations with deferred update policies, managed deployment cycles, or Windows 10 systems running extended security updates should verify that the relevant KB is deployed across user endpoints โ€” particularly for staff who regularly receive external attachments or work in sectors that have been APT29 targets.

Organisations running Windows Server should note that the protection is for client-side file opening, not for server configurations.

  1. Verify KB deployment โ€” confirm KB5083769/KB5082052 (Windows 11) or KB5082200 (Windows 10) is installed across user endpoints via your patch management tooling
  2. Update security awareness training โ€” brief security teams that the new .rdp file warnings now provide users with actionable information; train users to reject unexpected redirections and treat unsigned .rdp files from external sources as high-risk
  3. Review existing .rdp file policies โ€” audit whether your organisation distributes signed .rdp files for legitimate remote access; where practical, sign files with your code-signing certificate to prevent them from displaying the unsigned-file caution warning
  4. Apply network-level controls regardless โ€” the Windows change reduces user-layer risk but does not replace network controls; ensure outbound RDP to non-approved destinations remains blocked at the perimeter and DNS filtering is in place for known malicious RDP infrastructure

Share this article