Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. jAvascript.
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0081