The ISC warns of obfuscated JavaScript phishing attacks that can pull in highly realistic Excel image files pulled from outside the company’s main website.  In targeted corporate attacks, this highly realistic HTML code can to be linked into scripts that may trick users into revealing passwords.  The Excel spreadsheet security prompt for email address & password is realistic & dangerous

https://isc.sans.edu/forums/diary/How+your+pictures+may+affect+your+website+reputation/22151/

It is part of a phishing campaign and tries to lure the victim to provide his/her credentials to get access to an Excel sheet. Nothing very dangerous for most people. It’s a simply obfuscated Javascript code.  When loaded in the browser, it first displays a HIGH SECURITY warning.  Then, it renders the fake Excel sheet with a popup to enter an email address and password.  A good practice is to prevent hot-linking of images. Basically, you configure your web server to serve images only of the referer is correct.