"Employees are tricked into installing the malicious programs by cleverly-crafted e-mails loaded with infected documents. In some cases, the attackers download publicly-available documents off the Internet, load the documents with the Trojan horse, then e-mail them to carefully-selected employees who would be likely to open such a file. To make the notes even more realistic, the e-mail appears to come from a co-worker." So says the UK's NISCC (National Infrastructure Security Coordination Centre - home of the UK WARPs) in a generic public warning.
More email security and malware links.