During the atack chain (nicely described here) the javascript inside the html gets executed and calls an ms-msdt:// url. Within this url you have powershell embedded, as in the example:
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe "";
My question is: Why is this powershell executed and who exactly executes this? Is this a bug related to msdt or does this only happen in conjunction with an office application/document? I would like to understand, what is the root cause/bug that leeds to this execution.