Watch this video on YouTube
During which kill chain phase do attackers typically embed malicious code within harmless-looking files?