How can an attacker execute a file that has been spoofed using a Long UNC filename?

The spoofed file cannot be double-clicked directly. Instead, the attacker must use its short 8.3 filename (e.g., `CALC~1.EXE`) obtained via `dir /x`. Execution methods include running it from the command line, via WMIC (`wmic process call create C:\Windows\System32\CALC~1.exe`), or through VBScript/JavaScript. After launch, tools like Process Explorer may show the process as having the legitimate Microsoft certificate, as noted in the article's test results.