hotmail allows executing JavaScript code in email messages using vascript, which can compromise a user's hotmail mailbox when viewed with Internet Explorer.

Obviously such knowledge is for educational purposes and should only be used to evaluate your own security rather than exploit others.