Comment by gomox

Author here.

That is definitely a good idea, and I recommend it. But that should not be the main takeaway.

In our particular case, that was not found to be the problem (we think it was some sort of false positive), and there are valid reasons for users to do that anyway (upload a phishing email attachment onto an IT support ticket, for example).