lol, I was wondering when this would get picked up by threat actors, I had a Twitter thread on this years ago - about 2015
RemoteApp = RDP session without sign to user you're still connected. Supports client redirection. Just publish an app that does nothing, that redirects the desktop = remote file access.
The threat actor hasn't figured it out, but you can also do this via a simple URL to an RSS feed with RD Gateway, and it traverses firewalls and DLP.
https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
Kevin Beaumont /
npub176…fkwlw
2024-10-29 19:30:55
Author Public Key
npub176rs4lx7gjqwepgg75psfpv7zjj3xz0lyj4n7rux93ftm390sars6fkwlwPublished at
2024-10-29 19:30:55Event JSON
{
"id": "0d92238bfcd7d6e959bf58dc0f13ee236f23ca408b36d4266cafa824898dbeb7",
"pubkey": "f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"created_at": 1730230255,
"kind": 1,
"tags": [
[
"proxy",
"https://cyberplace.social/users/GossiTheDog/statuses/113392370019775869",
"activitypub"
]
],
"content": "lol, I was wondering when this would get picked up by threat actors, I had a Twitter thread on this years ago - about 2015\n\nRemoteApp = RDP session without sign to user you're still connected. Supports client redirection. Just publish an app that does nothing, that redirects the desktop = remote file access.\n\nThe threat actor hasn't figured it out, but you can also do this via a simple URL to an RSS feed with RD Gateway, and it traverses firewalls and DLP.\n\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/",
"sig": "6ba0e241d55e88c7d102f565d347aad5d8d6c9f85d9d7a3679b9df8e0eff0dac8c68d5c61a0002116deac79b823aa5f8a1b3944b6c87dcab9773af1841520260"
}