Simple Instructions Over "Correct" Instructions
You may be a security expert, or at least a very knowledgable person when it comes to computers, but the vast majority of people - even those, who work with computers on a daily basis - are not. I know entirely too many people, who think computers are basically a box full of plastic and magic.
Explaining to these people which file extensions are more likely to be dangerous and which ones are less likely to be dangerous will probably lead to a lot of confusion. I assure you that a significant amount of people, who work in an office, can't tell the difference between a PDF document and a Word document, so explaining what the risk of each is is not very productive.
As such, broad statements like "Don't open files from e-mail attachments unless they are from a trusted source" are useful still, even if they are not 100% technically correct.
Which Files Are Dangerous?
Basically, all of them. Always presume that a file is dangerous, even if you can't imagine how it could possibly. Here is a list of some common file types and how they could be dangerous:
- PDF Files: PDF is a complex file format and as of the time of this writing, over 1500 expoits related to PDFs exist in the CVE database.
- Office Documents: One of the most prominent attacks in Office documents is macros. The general idea is that you send someone an office document, claim that it contains some important information, then create the document in such a way that it only displays the supposed information if macros are enabled. For example, you can steal NTLM hashes like that.
- Spreadsheets: Also related to Office applications, you can create a malicious spreadsheet, which executes OS commands when being opened. This attack is called CSV Injection.
- ZIP Files: ZIP files can be quite dangerous. For one, they can cause Denial-of-Service attacks through something like a zip bomb or place arbitrary files on a machine through zip slipping.
While there are indeed measures to mitigate some of these risks, often times these include asking the user if they want to do something risky. 9 times out of 5, they will say yes. Not because they understand that the action they're about to take is risky, but because their computer asks them so often if they want to do something and they're used to playing the little game where they have to find the button that makes the computer do what they want to do.
How to Mitigate This Risk?
There is no perfect one-size-fits-all solution. If there was, we wouldn't have to worry about malware. It depends largely on the technical expertise of who you are talking to.
When talking to an expert, I would say "Trust your gut!". Your instinct is the most advanced part of the brain, optimized over millions of years through the most brutal optimization process in existence - you do well to use it.
If you have a bad feeling with a file, don't open it. And if you have to, do it in a VM on an airgapped machine, which you completely scrub afterwards.
When talking to the average user, I would repeat the same handful of security tips you have heard a million times. Don't open files from untrustworthy sources, have an up-to-date anti-virus, etc. etc. You've heard it a million times before.