You can inject VBA scripts -- like any other scripting language, into documents that support them and they'll just run with FULL system access. The only way to prevent them from having full access is for the user to disable scripts altogether. It's been the bane of security since vb scripts inside documents came along... this is particularly true in Outlook, since running code from untrusted e-mails? That has FULL system-wide access?
It even made it onto the page full of truthiness:
Distributing stuff done in VBA is often a problem, as they don't work for more knowledgeable users who turn app scripts off in the first place, and will be extremely unlikely to agree to turn them on just for your one little project. At the same time in many offices there are old 'applications' built with it that means you can't turn it off in things like excel, word or access, leaving those systems with gaping security holes you end up having to use other software to plug up.
It's one of those cute late 90's ideas before we had truly malicious code out there -- and unfortunately thanks to endless legacy in-house crapplets many businesses rely upon, it keeps lumbering forward like the behemoth that just won't die.