I've just rolled out some checks to help protect our users from a particular family of XSS attacks via links to PDF files. If you're viewing an HTML message that contains one of these links via the web interface, then the Phishing Protection will disable the link with a warning. URLs of this form that appear in a text message will not be converted to a clickable link.

This should reduce the likelihood of users being compromised by such links sent to them in email messages.

For more information, see this forum thread.