Symantec's Vikram Thakur said the attack took the form of an email purportedly about hotel bookings that was sent to "a select group of individuals within targeted organisations" containing a link to the page containing the exploit.
The exploit silently installed malware that created a backdoor on the victim computer and accessed a server in Poland to download small, encrypted files containing commands.
"Looking at the flow of commands, it is obvious to us that someone is entering these commands manually from a remote computer," said Thakur.
While the attackers specifically targeted Internet Explorer 6 and 7, but Microsoft has determined that the underlying problem is also present in IE 8 though mitigated by DEP (data execution prevention). DEP is enabled by default for IE 8, and can be enabled on earlier versions by using Microsoft's free Enhanced Mitigation Experience Toolkit (EMET).
How did the exploit work? See page 2.