The subDoc feature is designed to load a document that is its own file, into the body of another document. This is something that might be used to include information that one document has in another, but that included information could be edited and viewed on its own. Upon further inspection, we determined that we could load remote (internet-hosted) subDoc documents into the host doc, opening the potential for abuse in certain situations.
This feature peaked our curiosity as it resembled a similar Office feature we’ve seen abused in the wild, attachedTemplate. Using the attachedTemplate method, an attacker would be able to send an arbitrary document to a target that would, upon opening, open an authentication prompt in the Windows style. It is this innocent looking functionality that usually catches the target by surprise and provides us the opportunity to harvest credentials remotely.