When the victim runs the downloaded program, Windows shows "Der Computer wurde durch Windows geschützt" (SmartScreen). What is this protection, and why doesn't it stop the attack?
Microsoft Defender SmartScreen warns before running unknown/unsigned apps — but it's an overridable warning, so the user can click "More info → Run anyway" (nothing forces them to).
SmartScreen is reputation-based: Windows checks whether the executable is widely seen and signed by a known publisher. A freshly-built Metasploit payload has no reputation and an "Unbekannter Herausgeber" (unknown publisher), so SmartScreen blocks it by default and hides the "Run anyway" button behind a "Weitere Informationen" link.
But it is a speed bump, not a wall — any user with local rights can dismiss it. Social engineering does the rest ("it's just a Word file, click through"). This is why the human is the weakest link: the OS warned correctly and the attack still succeeded because a person overrode it.
Tip: Reputation/▲signature checks raise the bar but never replace "don't run untrusted code."