How a seemingly harmless RDP connection can compromise a company in seconds
The Remote Desktop Protocol (RDP) is one of the most widely used tools for remotely accessing Windows systems, particularly in corporate environments. However, it is precisely this widespread use that makes RDP a popular target for attacks. Using a technique called “MalRDP,” security experts are now demonstrating how criminals can gain access to corporate systems via RDP in less than two seconds without users or administrators noticing.
Camouflage in a PowerPoint attachment
The attack often begins with a seemingly harmless email containing a PowerPoint file in the attachment. Hidden within this file is a special RDP connector file that automatically establishes a connection to a server controlled by the attacker. Digital signatures can even be used to suppress warning messages, making the attack scenario appear even more credible.
PyRDP in Action: Remote Control Through the Back Door
The "PyRDP" software used acts as a man-in-the-middle. It interposes itself between the client and the server, intercepts the communication, and thus steals login credentials without being detected. This allows attackers to connect without being prompted for a password and gain unrestricted access to the target system.
Data theft, malicious code, autorun—the process is automated
As soon as the connection is established, the actual data extraction and infection begin:
- The attacker uses "local drive redirection" to transfer files to the target system.
- Scripts ensure that malware is automatically executed when a user logs in.
- The malware reactivates itself every time the computer restarts via tampered startup shortcuts.
Traditional protective measures are not effective
Since the attack does not trigger any standard indicators, conventional security solutions often fail to detect it. A particularly critical issue is that the so-called “Mark of the Web” is bypassed, as no file is downloaded from the internet; instead, it is moved internally. This makes detection even more difficult.
Companies must take action
What helps in the short term?
- Blocking Outgoing RDP Connections
- Filter emails with .rdp files attached
- Stronger access controls for remote access
- Use of modern solutions such as Zero Trust Network Access (ZTNA)
Conclusion
MalRDP is not a theoretical scenario; it is already a reality. Organizations that actively use RDP should urgently review their security policies and consider modern protection strategies such as behavior-based monitoring and dynamic access control. After all, a single click on a PowerPoint file can be enough to compromise the entire network.