Ah, you're being asked to login, enter your username and password"
User gets an e-mail flagged with great big security notice that its highly likely to be malicious & already being investigated, clicks on it anyway, contacts the sender when it prompts for her credentials who assures her it’s fine.
Enters her creds, the PDF says “Thanks”, she e-mails back again requesting the sender resends the original attachment as a PDF & comments that "I am starting to think this was a scam to get my credentials." ………
Three weeks later…....Thursday night she gets a hint something is amiss.
All Friday she gets e-mails & people sticking head around her door saying “Did you send this, it doesn’t sound like you”.
Finally, after finishing work on Friday (1 hour time difference BTW) & arriving home, she finally sends an e-mail in querying the fact she hasn’t received a email all day (actually since 3.15pm the previous day).
Security kicks in, changes passwords etc, she ums & arrr’s on the phone saying she might have have given her credentials away three weeks ago & then is suddenly pretty sure she didn’t. I comment that this should have been flagged a lot earlier by her colleagues if not herself, not last thing on a Friday afternoon.
A weekend of trawling through her emails reveals the chain of events above & reveals "she" sent 325+ spam e-mails.
New login ID, new hardware to be shipped to her, Other people get passwords changed & she has conveniently taken the week off suddenly “sick”.