Microsoft has implemented a significant update to the Windows Remote Desktop Connection application as part of its April 2026 Patch Tuesday release. This update introduces new warning dialogs aimed at protecting users from phishing attacks that exploit Remote Desktop Protocol (.rdp) files. These files have been increasingly used by threat actors to redirect user sessions to malicious infrastructure without their knowledge.
The update comes in response to a formal report from the United Kingdom's National Cyber Security Center, which identified a spoofing vulnerability in Remote Desktop. Notably, the Russian state-sponsored group Midnight Blizzard has been involved in distributing malicious RDP files through spear-phishing campaigns. These files often appeared routine but requested access to local resources, such as drives and credentials, before users realized the threat.
With the new update, Microsoft introduces two types of dialogs when an .rdp file is opened. The first-time education dialog appears once per account, explaining the risks associated with RDP files. Subsequently, a per-connection security dialog is shown every time an RDP file is opened, detailing the remote computer’s address, the file’s digital signature status, and any requested local resource redirections. All resource redirections are disabled by default, requiring user approval.
The update emphasizes a ‘secure by default’ approach, addressing the previous lack of warnings when opening RDP files. This change aims to prevent malicious files from silently requesting broad local access. Organizations are encouraged to standardize the use of signed RDP files to mitigate the risk of phishing attacks.
Administrators can temporarily revert to the legacy dialog behavior by adjusting the RedirectionWarningDialogVersion registry value, though this is not recommended for long-term use. It is advised that users apply the latest security patch and ensure their RDP files are digitally signed to maintain a secure environment.
Source: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings