Basically, it all works like this: A user opens up a Markdown file that contains an innocent-looking link in it, but upon opening said link, Notepad then starts to load and execute remote files that scrape data or do other nasty stuff with the computer. If the user has admin rights, then the attacker would have the same privileges too.