While such attacks are relatively uncommon up until the time the NSA used them in 2012, the reports all come from emails obtained from an FOIA request by the Vice. In one instance cited by The Hill, though, the emails revealed that Snowden was providing tech support for a proprietary macro embedded in NSA Hawaii documents which were incompatible with Washington, D.C. offices. Then, in a secondary follow-up email cited in Vice’s report, Snowden explains that,
“The program used by the analysts to generate these files embeds a huge amount of hidden metadata into every file it creates. In this case, it’s creating a ‘phone home’ link that tells Word where to get a copy of the FISA document template that was used to create the file. That means when someone outside the enclave tries to open the document in Word, Word immediately detects the phone home link and tries to go get a copy of the document template (from the enclave it can’t reach).”
Snowden also went on detail in the emails that the NSA employees had Microsoft macros enabled by default because they used those macros as a key part of very sensitive intelligence reporting. Microsoft, nonetheless, in March released a feature for Office 2016 to disable and block those high-risk macros similar to the ones used by the NSA.