The understanding that some member of the press will take the document back to work or networked home desktop computer and double click on the icon.
As they read the document the network makes a connection.
Its about the idea of the average reader in an average network location given the origin of the documents and their daily habits and the expectation of software they are provided with.
If a document is ever found the in the wild, it looks like malware with a good cover story to read while the code reports the user.
Add in OS X, Windows and Linux OS detection, complex ip reporting that works and a lot of different security researchers get interested and that adds interest to the document.
A "CIA" document with MS malware, thats just malware with better than average bait to get the user to open it.
A CIA document with unique phone home code that spans different OS's in very interesting ways would add to the CIA part.
Sometimes simple is better given the tools the reader is expected to use daily. The reader could be expected to us MS software to see all the document and uncover other details in the document.
A member of the press will want to look for any details in the document. Dates, notes, draft, corrections, history. Names, locations, officials that can be tracked to their job descriptions. If such simple facts hold, it can be passed on to document experts for further consideration.
A member of the press does not know who else has the document and could be expected to want to read and understand and then get published.
A security consultant looking over the document first could see rivals publishing first or finding details in the hours the security consultant was working.
A person who understood security issues could take the document to a special computer and fake network and see how the document responds in a MS Windows and MS application setting.
Does it phone home, what and how much data does it risk when it phones home.
Same document, very different first approaches. The understanding of set time to publish and the need to publish will push back decades of expected document security advice.
The US press does not care if they are tracked to their office as they have freedom to publish and freedom after publication. Read first, have the document looked over, get the story out.
A CIA version of FIRSTFRUIT. "The Most Intriguing Spy Stories From 166 Internal NSA Reports" (2016-05-16) https://theintercept.com/2016/...
"scanned 350 press items daily for “cryptologic insecurities” and maintained a database called FIRSTFRUIT with “over 5,000 insecurity-related records” ranging from “espionage damage assessments” to “liaison exchanges.”"