I’ve just released a blog post over at SANS pen-testing blog. Check out my latest article there: https://www.sans.org/blog/finding-zero-day-xss-vulns-via-doc-metadata/
It contains details on using metadata as an attack vector, and using these techniques to metadata bomb documents to find zero-days.
I hope you enjoy it.