[benatkin]

Anyone can do that now.

    <a href="https://anydomainname.com/">financialstatement.zip</a>

If it's a plain text email, attachments show up in a separate area.

If it's an HTML email, you could potentially fake the attachment area with or without a .zip TLD, just by adding a carefully constructed image.

[thefifthsetpin]

That's not going to get through even the most rudimentary anti-phishing filters, and at least some email clients still hint to you what's going to happen when merely hovering over that link.