Lately I've been hit by people sending a legit-looking email, wanting to click on something. Since I have a fairly well hardened Linux machine, I clicked on them. They want your MS net password. Contacting these people, I find they clicked on something, and all those emails were sent out.
I know these people are using plain vanilla MS outlook and ie. I'm assuming these worms are using a new trick, so maybe any ms system can't resist.
I've told these people to consider using something else, but I know it is hopeless. Just be on the alert for these things. :)