@lauren @jwildeboer I think the supposed issue is phishing not spam. But it's still email trying to solve an out-of-scope problem. If your employees can get tricked to disclose credentials by an email, the problem is not that you didn't write a sufficiently draconian filter to block the email. It's that you gave them phishable credentials.