Don’t run JavaScript email attachments: they can carry potent ransomware
Either disable the script host or set Notepad as default program for Javascript and Visual Basic Script files.
Other than that don’t take presents or candy from strangers like you were taught as a child by your parents. Look before you leap… 
But since these are unknown files wouldn’t they get sandboxed in the first place? I never tried.
I sometimes get those type of malware. It is always packed in zip archives and relies on social engineering. It says it’s an invoice, something scanned or so. It takes quite some steps to actually get infected.