I think it's safe to say that common sense should be used when receiving attachments from either an unknown sender, or a known sender with no prior announcement - at the very least.

I'm not associated with x-hash, but since entering cryptocurrency I've been especially apprehensive about handling attachments on machine(s) that I use for any crypto-related functions.