Fault with Excel Spreadsheet?

[ccolemanalt]

Maybe I'm missing something, but wouldn't a malicious actor need to enable editing on a CT spreadsheet before the script could run and send an alert? For instance, I created & named a spreadsheet "passwords", and add a few fake credentials for different sites. If someone access it, they can see the fake creds, and there's no need to enable editing. Correct?