Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed.