In 2022, Microsoft began blocking macros originating from the internet in Office, pushing both pentesters and threat actors to explore new methods for initial access. Fast forward to October 2024, and APT29 is leveraging one of those methods—Rogue RDP—discovered as a workaround back in 2022. In this video, we dive into a recent spearphishing campaign uncovered by the Ukrainian CERT, where attackers used Rogue RDP to gain initial access to targets. This video will provide you practical detection opportunities that can be used to hunt for this activity in your environment.