Currently, the new capabilities are open only to Office Insider users, which is an opt-in feature of Office, allowing users to get the latest updates and features from the Office dev team. But if it proves popular, Microsoft could allow even greater access to the new feature.
We’ve mentioned before how remote code (like Flash) can be used to attack systems. CVE-2018-5002, for example, involves embedding (using ActiveX) a Flash file in an Excel document, which downloads yet another Flash file when it is activated. When downloaded, the initial Flash file decrypts the second one, where the malware is located – and which, once executed, downloads a malicious shell and executes it, using instructions from the command and control server.