■■■■□ This is how macOS devs get compromised by opening a .docx (file opening a resume, opening a p.o. sow whatever)
In short:
> docx can have a remote template (feature to let it pull styles from an http server)
> docx remote template runs VBA in your machine
> this VBA can run an osascript like the one below
>Word has sandboxing in place, but not if the file name starts with ~$.myfile – they regexed it out for allowing Word itself to write temp files
> macOS on start unzips any zip files /Users/youruser/Library
> if that zip has a folder LaunchAgents with a plist file inside – that plist can invoke any command as a perfectly root level persistency (e.g. connect to a C2)
https://x.com/i/status/2077989634009629113
https://github.com/forefy/JXA-Persistency
