*sigh*
I guess for those of us in-the-know, a random Word file that shows up and asks you to enable macros might as well just skip the pretense and use a filename of "Please run this virus.exe."
Unfortunately, most users are not in the know. The best thing one can do is try your damnedest to prevent such things from ever reaching the user.
They get crafty. A company I temped at for a short stint had got what was at least a simpler virus through a false resume. Those are the worst, invoices you can try to figure out before opening; but what if you ever entertain accepting unsolicited resumes? Not at all a rare thing, and I have no idea how companies even accept resumes sent as email attachments - corporate IT must not get a say in that! lol ... or they really trust their defenses and perhaps HR-specific email training?
But yes, thankfully the strongest defense against a lot of this crap is simply having risk awareness and knowing best practices for handling suspicious attachments, downloads, and links. As you say, for us in the know, it's a hell of a lot easier to see the risks. But unfortunately, that's not enough these days: with all the web-based vulnerabilities, unless you run with the most stringent noscript and ad-blocking approaches on every single website, the zero-day threats are everywhere. I do when I know I'm about to head to a site that I believe questionable, loading it in Firefox with all my blocking tools, but that's truly not enough as even the best sites can suddenly get crap (even this site, unfortunately) if an ad network becomes a victim or numerous other possibilities.
I hope when I build my server that I can create a strong configuration in Sophos XG to add a strong protection layer to my browsing habits.