How do I know? I performed a proof-of-concept test on some spam-protected targets to see how easily I could invade them by sending malicious HTML, and it worked well, even at reasonably security-paranoid corporate networks, like a Manhattan-based international law firm and a Georgia bank. Here's my five-step process (for technical details and the script, see feldman.org/smtp):
1. Procure targeted e-mail addresses by the type of "negative acknowledgement" spammers use. Once you know the names of VIPs, send probe messages to all permutations of those names (jfeldman, feldmanj, jonathan. feldman and so on) until you no longer get a bounce message; no bounce means it's a valid address.
2. Identify an article of interest to the targeted business. In my bank test, for instance, I used one from Forbes.
3. Craft a message with a spoofed but correct user e-mail address in the "From" field--the CEO's a good choice. Address the "To" field to other correct e-mail addresses, one at a time, so each user thinks the message is personal.
4. Put a spoofed URL in the body of the message, just as the Wallon virus or Osama Trojan did. This fake URL appears to point to the article but may point to a page containing the latest "day 0" IE exploit with the power to take over the user's machine.