SecTor 2025 | Signature of Destruction: Outlook RCE Strikes Again

What if your Outlook signature could compromise your system? Following up on last year's RCE Chaos, where we achieved remote code execution through the injection of malicious forms by abusing Exchange Outlook synchronization protocols, we're back with a new class of Outlook remote code execution vulnerabilities—this time, abusing signature roaming between cloud and desktop clients. One compromised email account is all it takes to inject malicious signatures that auto-sync and execute on victims' machines—zero clicks, zero prompts. We'll unveil three new RCE CVEs: CVE-2025-21357 & CVE-2025-47171 extending last year's form injection abuse and CVE-2025-47176 weaponizing the recently stabilized Outlook Roaming Signatures feature. Expect live demos and a look into an overlooked attack surface that's been quietly sitting in your inbox for over a year. We'll also show how Exchange helps deliver the final payload—and why traditional detections will miss it. This one's for reversers, red teamers, and defenders who thought they knew Outlook. You don't. By: Michael Gorelik | Chief Technology Officer, Morphisec Arnold Osipov | Lead Researcher, Morphisec https://ift.tt/6jotvV2

source https://www.youtube.com/watch?v=d0TfvpV1u-E