1、#SECTORCA BlackHatEventsSignature of Destruction:Outlook RCE Strikes AgainMichael Gorelik&Arnold Osipov#SECTORCA BlackHatEventsAuthenticated SafeAuthentication creates a false sense of security.Post-login features rarely undergo the same validation and sanitization,leaving exploitable gaps.#SECTORCA
2、 BlackHatEventsWHOAMIFounder,Windows Reverse engineer,Red Teamer,MSC Computer Science,Vulnerability and Malware Researcher,Incident Responder,Speaker,Microsoft MVR 2025 Chief Technology Officerat Morphisecsmgoreli Michael GoreliksmgorelikMichael Gorelik#SECTORCA BlackHatEventsWHOAMIWindows Reverse e
3、ngineer,Red Teamer,Malware Researcher,Speaker,Microsoft MVR 2025Lead Malware researcherat Morphisecosipov_arArnold OsipovArnold Osipov#SECTORCA BlackHatEventsAgenda Recap-Defcon+BlueHat 2024-Outlook Unleashing RCE Chaos”Forms RCE CVE-2025-21357 Outlook Roaming Settings Roaming Signatures CVE-2025-41
4、176+Patch#SECTORCA BlackHatEventsRecapDEFCON 32-Outlook Unleashing RCE Chaos CVE-2024CVE-2024-21378 NetSPI CVE-2024-30103https:/ BlackHatEventsRecapBlueHat 2024-Outlook Unleashing RCE Chaos CVE-2024CVE-2024-38173https:/ BlackHatEventsCVE-2025-21357Dereferencing of potentially controlled pointer lead
5、s to a crash#SECTORCA BlackHatEvents#SECTORCA BlackHatEventsRoaming Settings GET/PATCH/DELETE/ows/v1/OutlookCloudSettings/settings/account Hosts:,App barSignaturesCalendar Filterhttps:/ BlackHatEventsCaching Settings Locally#SECTORCA BlackHatEventsRoaming SignaturesIn New Outlook,Microsoft uses roam
6、ing signatures October 2022,signatures are stored in the cloud tied to the mailbox not the profile or device.#SECTORCA BlackHatEventsCreate Signature on Desktop#SECTORCA BlackHatEventsLocal SignaturesAll signatures are roamed into a special folder:%AppData%RoamingMicrosoftSignatu