Category: Tech Tip | Published: 2026-04-17
The Risk That Arrives as a Document
Phishing attacks have become significantly more sophisticated, but one of the most effective delivery methods remains the humble file attachment. An email arrives from what looks like a supplier, a colleague, or a familiar service. It carries a document, a spreadsheet, or a PDF. The sender asks you to review something, check an invoice, or sign a form. The request looks routine.
Opening that file directly can be all it takes. Many phishing attacks are designed not to do damage at the point of delivery, but to trigger harmful processes once a file is opened in a desktop application. The good news is that a simple habit, using file preview in your browser before downloading anything unfamiliar, significantly reduces that risk without adding meaningful friction to your day.
What Happens When You Open a File Directly
When you download a file and open it in a desktop application such as Microsoft Word, Excel, or Adobe Acrobat, you are running it within the full capability of that application. This matters because modern document formats can contain embedded content that goes far beyond text and images.
Macros are the most well-known risk. These are small programs embedded in Office files that can execute automatically when a document is opened, or prompt the user to enable them with a plausible-sounding reason. Phishing attacks frequently use macros to download malware, establish remote access, or exfiltrate data from a device. Other file types can contain scripts, hyperlinks designed to capture credentials, or payloads that exploit vulnerabilities in specific application versions.
The key point is that the threat is not necessarily visible in the document content. A file can look like a perfectly normal invoice while carrying something harmful.
How Phishing Attacks Use Documents as Lures
Phishing attacks that use file attachments typically rely on two things: a convincing sender identity and a plausible reason to open the file. Attackers impersonate trusted contacts, well-known businesses, courier companies, HMRC, or internal IT departments. The attached document might appear to be a delivery notice, a payslip, a contract, a policy update, or an urgent request for review.
The social engineering is often the most polished part. The email itself may look entirely legitimate, with correct logos, professional language, and a sender address that closely resembles a real organisation. By the time the recipient reaches the attachment, their guard may already be down.
This is why relying on your ability to spot a phishing attack at the email level alone is not sufficient. Adding a layer of caution at the file-opening stage gives you a second opportunity to catch something before it causes harm.
What File Preview Actually Does Differently
Browser-based file preview renders the content of a document in a sandboxed web environment. Rather than opening a file in its native application with full execution capabilities, the browser displays a visual representation of the content.
This means macros do not run. Embedded scripts cannot execute. The file is shown, not operated. You can read the content, check whether it is what you expected, and assess whether anything looks suspicious before committing to a full download and open.
File preview is not a perfect defence against every threat. A document shown in preview could still contain a convincing link designed to redirect you to a credential-harvesting site. But it removes the category of threats that depend on code execution at the point of opening, which covers a large proportion of phishing attacks delivered via email attachment.
How to Use File Preview in Microsoft 365
If you use Outlook on the web or access files through OneDrive, file preview is straightforward to use:
1. Click on the attachment or file link.
2. Select Preview or Open in browser when the option appears.
3. The file will open in a web-based Office viewer.
4. Review the content and check whether it matches what you expected.
5. Only download and open the file fully if you are satisfied it is legitimate.
Word documents, Excel spreadsheets, and PDFs will typically open in the browser viewer without requiring a download. If Microsoft 365 does not offer a preview option for a particular file type, that itself is worth treating as a reason for additional caution.
How to Use File Preview in Google Workspace
For Google Workspace users accessing Gmail or Google Drive:
1. Click the attachment or the file in Drive.
2. Select the Preview option, which is often displayed as an eye icon.
3. The file will open in a browser window through Google's document viewer.
4. Review the content before deciding whether to download it.
Google's viewer will display most common document and PDF formats without requiring a local application to open them. As with Microsoft 365, if a file type cannot be previewed, treat that as a prompt to verify with the sender before proceeding.
What to Watch For Even When Previewing
File preview reduces risk but it does not eliminate it entirely. When reviewing a document through a browser viewer, keep an eye out for the following:
Requests to enable editing or macros once downloaded. A file that immediately asks you to turn on macros after opening is a significant warning sign, and a common feature of phishing attacks that use documents as delivery vehicles.
Links that prompt further action. A previewed file might contain hyperlinks to external sites. These can be designed to look like legitimate login pages or download portals but are actually credential-capture tools. Hover over any link before clicking to check the destination URL.
Files from unexpected or unknown senders. Even if a file previews without obvious issues, consider whether you were expecting it. If you were not, verify with the sender through a separate channel, such as a phone call or a new email thread, before opening the full file.
Generic or vague document content. Phishing attachments often contain minimal content with a strong prompt to take action, such as a brief message saying your account needs attention, your delivery requires confirmation, or your signature is required.
Making It a Team Habit
The value of file preview as a security measure depends on it being used consistently rather than occasionally. One person in a team bypassing the habit is all it takes for a phishing attack to succeed.
The most effective way to embed this behaviour is to make it part of a simple, memorable rule: if you did not expect a file, preview it in your browser before you open it. It takes a few extra seconds and can prevent a significant amount of harm.
This is particularly relevant for roles that regularly handle external documents, including finance teams processing invoices, HR teams receiving CVs and forms, and anyone who deals with supplier or client correspondence.
If you would like help building stronger security habits across your team, or want to understand what other practical measures can reduce your exposure to phishing attacks, our cyber security team is ready to help. You can also get in touch directly for a conversation about your organisation's current security posture.