Presumably he opened an Office document containing macros. Macros are able to execute system commands and load malicious PowerShell code.
Executable files are blocked by pretty much all corporate e-mails systems. Zero-days for PDF viewers are rare. After all, most hacking attacks are things like ransomware campaigns, where everyone is a potential victim and phishing mails are sprayed all over the internet. A zero-day would be burnt pretty quickly.
However, many users legitimately need office macros and also need to open office documents to collaborate with contractors or customers. Many times, the phishing mail comes from a legitimate address because the other company has been compromised already.
The solution would be to only allow signed macros, but depending on the size of the organization, that can be costly.
Executable files are blocked by pretty much all corporate e-mails systems. Zero-days for PDF viewers are rare. After all, most hacking attacks are things like ransomware campaigns, where everyone is a potential victim and phishing mails are sprayed all over the internet. A zero-day would be burnt pretty quickly.
However, many users legitimately need office macros and also need to open office documents to collaborate with contractors or customers. Many times, the phishing mail comes from a legitimate address because the other company has been compromised already.
The solution would be to only allow signed macros, but depending on the size of the organization, that can be costly.