We noticed Adrian Crenshaw's @irongeek_adc demo track.docx included some external images which were used for tracking TOR users out-of-band in MS Office.
Scanning within the content of a OpenXML docx file is a good use for Cryptam's Yara integration, so we created a quick Yara rule to detect the use of External images in the way used in this presentation. It will also work on some variants of this technique, such as embedded a docx within an OLE document or within an RTF file.
ref = "https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Crenshaw"
author = "Malware Tracker @mwtracker"
date = "Aug 10 2014"
hash = "63ea878a48a7b0459f2e69c46f88f9ef"
$a = "schemas.openxmlformats.org" ascii nocase
$b = "TargetMode=\"External\"" ascii nocase
all of them