A phishing email disguised as an invoice or a shipping notice may contain a .zip or .iso attachment. Inside that archive is a script (often a .js or .vbs file) that, once clicked, executes the payload, initiating a silent download chain.