Multi-factor authentication effectively nullifies the value of a stolen password in a text file.
In many documented attacks, a RDP.txt file found on a desktop or in a staging folder is a "smoking gun" indicating that: RDP.txt
Look for unusual login patterns or unauthorized use of mstsc.exe . RDP.txt
The attacker has a list of targets ready for a brute-force attack. RDP.txt
Use EDR (Endpoint Detection and Response) tools to alert you whenever a process creates a .txt file containing IP addresses or login strings.
The file may contain plaintext logins and passwords harvested from unsuspecting IT staff. DTIC.mil (AD1201693) How to Protect Yourself