Microsoft’s fix for CVE-2026-40361 has put a familiar question back on the table: how much risk can live inside the mail preview path before anyone clicks anything?