Ahh, it's application level granularity...
therefore it's software.
One obvious attack is attacking that software. Maybe if it crashes you get full access.
More likely attacks are on the software a user uses. Many windows programs have a bug handling timer events. Essentially they activate a timer which will generate an event after some time. That event can have some data attached to it. In the 1990s it was common to put a pointer to the function you want to be called there. Additionally you can set the text of gui elements from another program (one important Windows feature, it's often used by screenreaders), so you can get code into them. Adding both problems and you can get any software to do anything.
Ohh and of course if you allow Office full access, you can always use OLE Automation to open documents, encrypt them, and close them again, all with (moderately) easy to access and stable functions. You can even do it in the background. Also you can execute code in the context of Word or Excel.
Biting the hand that feeds IT
