Microsoft has introduced a significant behavioral change to the Windows Remote Desktop Connection application (MSTSC) as part of its April 2026 Patch Tuesday update — new multi-layer warning dialogs designed to shield users from phishing campaigns that weaponize Remote Desktop Protocol (.rdp) files.
The Threat: How .rdp Files Are Weaponized
Remote Desktop (.rdp) files have increasingly become a tool of choice for threat actors seeking to compromise enterprise environments through social engineering. These files, when opened, automatically initiate a Remote Desktop session to a specified host. Malicious actors embed carefully crafted .rdp files in phishing emails, tricking recipients into connecting to attacker-controlled infrastructure. Once connected, the session can silently redirect local resources — including drives, clipboards, smart cards, and credential material — to attacker systems without the victim realizing anything has gone wrong.
One of the most notable campaigns exploiting this technique involved Midnight Blizzard, the Russian state-sponsored threat group (also known as Cozy Bear or APT29). Midnight Blizzard distributed malicious .rdp files as email attachments in large-scale spear-phishing operations targeting government organizations, NGOs, and research institutions. The files appeared routine but established covert resource-redirect tunnels before victims could react.
What Microsoft’s April 2026 Update Changes
The cumulative update KB5083769, released on April 14, 2026, for Windows 11 versions 25H2 and 24H2 (builds 26200.8246 and 26100.8246), introduces two distinct new dialog experiences when a user opens any .rdp file:
- First-time education dialog (one-time per account): The first time a user opens an .rdp file after installing the update, Windows displays an informational prompt that explains what RDP files are and the risks they carry. The user must actively acknowledge and allow the connection. This dialog appears only once per user account, unless Microsoft updates the dialog version in a future patch.
- Per-connection security dialog (shown every time): Each subsequent time an .rdp file is opened, a security warning dialog appears before any connection is established. This dialog displays the remote computer’s network address, indicates whether the .rdp file is digitally signed by a verified and trusted publisher, and lists all local resource redirections the file is requesting — including drives, clipboards, printers, smart cards, and WebAuthn credentials.
Why This Matters for Enterprise Security
The per-connection dialog is the more impactful change from a security standpoint. By surfacing the full set of resource redirections before the connection is made, users and administrators now have a clear opportunity to identify suspicious requests. An .rdp file asking for access to local drives and clipboard without a clear business reason should immediately raise red flags. Security awareness training programs should be updated to incorporate this new dialog behavior, teaching employees what to look for and when to abort a connection.
For organizations with managed device fleets, Group Policy settings can be used to enforce stricter .rdp file handling, including blocking unsigned .rdp files entirely or restricting which hosts can be connected to via Remote Desktop. IT administrators should review existing RDP policies in light of this update and consider tightening controls where appropriate.
Recommendations for Security Teams
- Deploy the update promptly: Apply KB5083769 to all Windows 11 endpoints to enable the new warning dialogs as quickly as possible.
- Review email gateway policies: Consider blocking or quarantining .rdp file attachments in inbound email, as legitimate business workflows rarely require emailing raw .rdp files.
- Update security awareness training: Educate employees on the new dialog, what to look for, and when to refuse an RDP connection initiated by an .rdp file.
- Audit existing .rdp files: Conduct an audit of any .rdp files in use across the organization to ensure they are digitally signed and sourced from trusted systems.
- Enforce Group Policy restrictions: Use Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services policies to restrict .rdp file usage where feasible.
Broader Context: RDP as an Attack Surface
This update is part of Microsoft’s broader effort to reduce the attack surface presented by Remote Desktop Protocol, which has historically been one of the most abused vectors in ransomware intrusions and nation-state operations. Alongside .rdp file phishing, RDP brute-force attacks and exposed RDP endpoints remain a top initial access technique catalogued by incident response teams worldwide. While the new warning dialogs address the phishing vector specifically, organizations should continue to enforce strong authentication, network-level access controls (such as VPN gating or Azure AD Conditional Access), and monitoring of all RDP traffic.
Conclusion
Microsoft’s decision to add persistent, informative security dialogs to the Remote Desktop Connection client is a welcome step in reducing the effectiveness of .rdp file phishing campaigns. While no UI warning is a substitute for proper network controls and security training, these changes raise the bar for attackers and provide users with actionable information before potentially dangerous connections are established. Organizations should deploy the April 2026 update broadly and use this as an opportunity to review and strengthen their overall RDP security posture.