The documents and addresses used for high end spear phishing usually come from a recent previous compromise. You'll see a sender that you frequently get mail from and know personally and the document attached will be a new version of something they previously sent, or something new that person is working on that would be of particular interest. It is quite difficult to completely insulate even the smartest and most prepared organizations from persistent attacks like this - someone only has to screw up once, and people screw up a lot more than that.
I agree, that is quite a sophisticated attack and I hadn't been aware of it (even missed it after skimming the McAffee article I guess). Thanks for clarifying.
