Michael Berik Details Zero-Click RCE Vulnerabilities in Microsoft Exchange and Outlook

The presentation by Michael Berik, CTO of Morphoscans, details zero-click remote code execution (RCE) vulnerabilities in Microsoft Exchange and Outlook, focusing on post-authentication attack vectors. Key techniques include exploiting custom form injections, COM hijacking, and roaming signature synchronization flaws, with the most recent vulnerability patched two months prior to the talk. The speaker demonstrated how attackers with compromised credentials could manipulate roaming settings—particularly signatures stored as HTML, RTF, or TXT files—to achieve directory traversal and execute malicious code via startup folder placement. Microsoft’s patches were bypassed multiple times, including through insufficient sanitization of signature names and file paths, while fuzzing uncovered additional memory corruption vulnerabilities. The talk highlighted that roaming signatures, introduced in 2022, lack Graph API support and remain a persistent attack surface, with unpatched issues still under disclosure. Defenses mentioned include disabling roaming signatures, monitoring HTTPS-based API calls, and enforcing MFA, though the speaker noted MFA bypasses are common in incident response. Previous vulnerabilities were disclosed at DEF CON (August 2024) and BlueHat (November 2024), with a January 2025 patch addressing a minor RCE.