> But the point is, unless you are technically skilled, you probably can't tell whether you're about to go to a trusted file or download something random.
Under what circumstances would a link you click on a website or an email _ever_ be a trusted file?
You can be on a legitimate, trusted web site or be reading a legit, trusted email from a contact and still have a link slip in there. Other commenters like xsmasher have described a benign example, I'll rephrase:
> I've attached familyphotos.zip -- here you go!
The email client will presumably have a link below called familyphotos.zip, but the email client ALSO link-ified the text familyphotos.zip to download the content at https://familyphotos.zip, which is untrusted but you don't realize it doesn't go to the same familyphotos.zip file.
Or the attacker could've just sent you ... a link to familyphotos.zip. I'm not sure why you're bringing client-side auto-vivification (which yes, is a bad idea) into the picture when the attacker could equally send a link. I'm also not sure why you assume that clients will begin to auto-vivify .zip links just as a result of it existing, nor why you assume that's any worse than them auto-vivifying https://example.com/familyphotos.zip.
hxxps:[//]]familyphotos.zip (broke the link on purpose) is already registered, and it downloads the zip file. 4 days later, and unsurprisingly, it's already happened. I'll open the zip in a VM and see what happens, it's 0.58 KB...
Update: Turns out it just contains what_happened.txt, a copy of which is below. Thanks anonymous person!
```
"Hey, this isn't family pictures!"
You're right -- and that link you clicked wasn't a file attached to the email
or message you received.
Thanks to Google[0][1], now it's impossible to discern the difference between
a link to an attachment called "familyphotos.zip" and a link to this file...
unless you are able to inspect the destination of a link before clicking it.
Most software and apps don't allow that, and most people don't know how to
tell the difference anyway.
Yes, downloading file(even zip) is significantly more dangerous than opening zip domain. I would be worried about the opposite problem. Say zip becomes commonly used domain. And maybe in some website link is not very distinguishable from file and someone might end up downloading the file instead of opening a link.
Under what circumstances would a link you click on a website or an email _ever_ be a trusted file?