With CVE-2020-1599, MS patched a bug that allows an attacker to append data to a signed PE file without invalidating its signature. Abusing this, as an example, would permit an attacker to deliver "signed" HTA payloads. Example "evil" HTA: https://t.co/UOLUGYROBQ pic.twitter.com/1yowaR8ANj

— Matt Graeber (@mattifestation) November 10, 2020