DefenseCybersecurity

SecTor 2025 | Signature of Destruction: Outlook RCE Strikes Again

Black Hat
Black HatMay 21, 2026

Why It Matters

Because the exploit works with stolen credentials and no user interaction, it gives attackers persistent, cross‑device control of corporate Outlook environments, forcing urgent remediation and tighter post‑auth defenses.

Key Takeaways

  • Remote code execution can be achieved via Outlook roaming signatures.
  • Microsoft Exchange synchronizes malicious custom forms without user interaction.
  • Recent patches only partially mitigate form injection and COM hijack flaws.
  • Roaming settings store JSON signatures that can embed executable payloads.
  • Credential theft enables zero‑click attacks across all synced Outlook devices.

Summary

The SecTor 2025 talk by Michael Berik of Morphoscans focused on a new attack chain that leverages Outlook’s roaming signature feature to achieve remote code execution (RCE) without any user clicks.

Berik recapped earlier Exchange‑based form‑injection bugs, COM‑object hijacking, and a calculator pop‑up exploit demonstrated at BlueHat. He then explained how Microsoft’s roaming settings store signatures as JSON blobs in Azure storage, which are automatically synced to every Outlook client. By injecting malicious HTML or RTF payloads into these blobs, an attacker who has stolen mailbox credentials can force the client to execute arbitrary code.

The presenter highlighted that the technique builds on previously patched vulnerabilities—Microsoft added prefix validation for form paths and suffix checks for COM methods, yet still allowed crafted strings to bypass controls. A “recall” form with a modified class ID caused a crash, illustrating the ease of weaponizing built‑in features. He also noted his recognition as Microsoft’s 2025 Most Valuable Researcher for uncovering such flaws.

The discovery widens the post‑authentication attack surface: any organization that enables roaming signatures now faces a zero‑click RCE risk. Enterprises must audit roaming settings, enforce strict signature sanitization, and consider disabling automatic sync until Microsoft hardens the underlying APIs.

Original Description

What if your Outlook signature could compromise your system?
Following up on last year's RCE Chaos, where we achieved remote code execution through the injection of malicious forms by abusing Exchange Outlook synchronization protocols, we're back with a new class of Outlook remote code execution vulnerabilities—this time, abusing signature roaming between cloud and desktop clients.
One compromised email account is all it takes to inject malicious signatures that auto-sync and execute on victims' machines—zero clicks, zero prompts.
We'll unveil three new RCE CVEs: CVE-2025-21357 & CVE-2025-47171 extending last year's form injection abuse and CVE-2025-47176 weaponizing the recently stabilized Outlook Roaming Signatures feature.
Expect live demos and a look into an overlooked attack surface that's been quietly sitting in your inbox for over a year. We'll also show how Exchange helps deliver the final payload—and why traditional detections will miss it.
This one's for reversers, red teamers, and defenders who thought they knew Outlook. You don't.
By:
Michael Gorelik | Chief Technology Officer, Morphisec
Arnold Osipov | Lead Researcher, Morphisec

Comments

Want to join the conversation?

Loading comments...