How Did THAT Get There???

Didier posted recently regarding a VBA macro in Excel that allowed him to launch a command shell. This got me to thinking about something I'd read about in the Mandiant M-Trends report...specifically:

For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attack...

From an analysis perspective, this can be something of a concern for a responder. One of the biggest analysis issues I've seen has been determining the original infection or compromise vector for an incident. Very often, the analyst can easily locate malware or new user accounts created on a compromised system, but these are often secondary or tertiary artifacts of the original compromise. While these artifacts do provide significant information (i.e., add context and provide a timeframe for the compromise), many times, the initial means of compromise will not be determined...at least, not in a manner that is supported by data.
So the point is that yes, something happened on the system, but how did it get there? More importantly, how do we prove it and not just speculate? Something like this may obviate or support the "Trojan Defense" claim...after all, if you find no indications of a doc-borne attack (spear phishing), then might that not be one way to obviate the claim?