<html> <script> prompt('XSS by Osanda Malith'); </script> </html>
Once you open the attachment the code gets interpreted.
However due to the same origin policy this bug can’t do much damage. If you do a
alert(window.sessionStorage.protonmail_pw) it would result “undefined”.