What technique is used to bypass Autoruns detection when hijacking system DLLs for Office applications?

The article shares specific DLL hijacking locations that only trigger when a particular Office feature is used—for example, LOCALSVC.DLL for Word's Review View or tiptsf.dll for Insert Picture. Because the payload executes only upon user interaction with that feature (not at startup), it evades Autoruns and similar startup detection tools.