[Semaphor]

I think Windows has some kind of source flag, where if it’s from an online source, you have to opt-in into running it.

[jabroni_salad]

zone.identifier aka "Mark of the Web" and it is responsible for triggering a Smartscreen scan of that file.

You get an 'are you sure you want to run this' and also the Office Protected View, both of which users will reflexively click via muscle memory at this point.

You also get the download and referrer URL attached to every file that came from the internet which is nice for forensics stuff.

[donatj]

It's a filesystem fork on the file triggering a UAC style warning. Laypeople are imho generally pretty blasé about accepting those.

[AnIdiotOnTheNet]

People have been trained to ignore such popup warnings by common superfluous popup warnings like "are you sure you want to quit?", and nowadays ads and newsletter sign up bullshit.