OP 12 November, 2024 - 03:11 PM
On October 22, 2024, Microsoft discovered a phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users across more than 100 organizations. The campaign was highly targeted, using lures disguised as Microsoft, Amazon Web Services (AWS), and Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration files (.RDP) contain automatic settings that are installed upon a successful connection to an RDP server. These configurations distribute local system features and resources to a remote, agent-controlled server.
In this campaign, the malicious .RDP attachment contained several sensitive settings that could have resulted in significant information disclosure. Once the target system was compromised, it would connect to the agent-controlled server and bidirectionally transmit resources from the target user’s local device to the server. Resources sent to the server may include, but are not limited to, all logical hard drives, clipboard contents, printers, attached peripherals, audio (including microphone), and Windows operating system authentication functions and features, including smart cards. Such access may allow a threat actor to install malware on local drives and mapped network shares, such as startup folders, or install additional tools such as remote access trojans (RATs) to maintain access after the RDP session is closed. The process of establishing an RDP connection to an agent-controlled system may also expose the credentials of the user logged on to the target system.
source : https://www.microsoft.com/en-us/security...rdp-files/
In this campaign, the malicious .RDP attachment contained several sensitive settings that could have resulted in significant information disclosure. Once the target system was compromised, it would connect to the agent-controlled server and bidirectionally transmit resources from the target user’s local device to the server. Resources sent to the server may include, but are not limited to, all logical hard drives, clipboard contents, printers, attached peripherals, audio (including microphone), and Windows operating system authentication functions and features, including smart cards. Such access may allow a threat actor to install malware on local drives and mapped network shares, such as startup folders, or install additional tools such as remote access trojans (RATs) to maintain access after the RDP session is closed. The process of establishing an RDP connection to an agent-controlled system may also expose the credentials of the user logged on to the target system.
source : https://www.microsoft.com/en-us/security...rdp-files/