[psacawa]

A phishing strategy this enables: confusing the https:// URI scheme with the file:// pseudo-URI scheme.

For example, we receive a phishing email which reads "This is the bank with your financial statement attached. It's a password protected zip file encrypted with your online banking credentials for security." We click to download and end up at https://financialstatement.zip, where a JS prompt asks us for the decryption password. We think we're interacting with the file system and get owned.

Crucially, i) some browsers don't display the URI scheme in the address bar, and ii) people are used to the idea of a password-protected zip file, and iii) people are used to opening files with their browser.

[psacawa]

The website can further strengthen the illusion of interacting with the FS by using HTML+CSS that imitates the browser's builtin file browser. It knows what it might look like by examining User-Agent and Accept-Language headers.

[benatkin]

Anyone can do that now.

    <a href="https://anydomainname.com/">financialstatement.zip</a>

If it's a plain text email, attachments show up in a separate area.

If it's an HTML email, you could potentially fake the attachment area with or without a .zip TLD, just by adding a carefully constructed image.

[thefifthsetpin]

That's not going to get through even the most rudimentary anti-phishing filters, and at least some email clients still hint to you what's going to happen when merely hovering over that link.