Windows adds RDP phishing warnings
Microsoft has rolled out clearer warnings for Remote Desktop (RDP) files to help users spot phishing attempts that route them into hostile sessions. Multiple outlets reported the April update increases the visibility of RDP phishing prompts for Windows 10 and 11 users. The change matters because RDP files are often trusted by admins and support staff and can be used to socially engineer privileged access ( | ).
Remote Desktop is Windows’ built-in way to control another computer over a network, and a small Remote Desktop Protocol file can prefill that connection. Starting with Microsoft’s April 2026 security update, Windows now puts a larger warning in front of those files before the session starts. (learn.microsoft.com) Microsoft said the change applies to Windows 10 and Windows 11 and arrived with the April 2026 security update released on April 14. The company’s April update notes list the affected packages as KB5083769 for Windows 11 versions 25H2 and 24H2, KB5082052 for Windows 11 version 23H2, and KB5082200 for Windows 10 versions 22H2 and 21H2. (m365admin.handsontek.net) The new flow adds two prompts. The first time a user opens an Remote Desktop Protocol file after installing the update, Windows shows a one-time educational warning; after that, every file opens a security dialog before any connection is made. (learn.microsoft.com) That dialog now shows the remote computer address and lists each local resource the file wants to share, including items such as the clipboard, drives, or camera. Microsoft said every requested resource is turned off by default and must be enabled manually. (learn.microsoft.com) The update targets a phishing trick that hides inside an attachment most office workers never open but many administrators and support staff do. Microsoft said a malicious Remote Desktop Protocol file can silently connect a device to an attacker-controlled server and expose local files, credentials, and other redirected resources. (learn.microsoft.com) Security researchers and trade outlets said the change followed a spoofing issue reported to Microsoft by the United Kingdom’s National Cyber Security Centre. Tenable and other April Patch Tuesday writeups tied the warning overhaul to CVE-2026-26151, a Remote Desktop spoofing vulnerability. (itnews.com.au) (tenable.com) Microsoft’s documentation says users should not open an unexpected Remote Desktop Protocol file, even if the email looks legitimate, and should verify the sender through a separate channel such as a phone call. The company also tells users to check the remote computer name or address in the dialog and leave unnecessary redirection boxes unchecked. (learn.microsoft.com) This is a user-interface fix as much as a code fix: Windows is no longer treating a Remote Desktop Protocol file like a routine shortcut. It is treating it like a request to hand a remote machine pieces of the local computer, and asking the user to approve each one first. (learn.microsoft.com)
