Hello Pete firstly thank you for replying to this post and referencing the TechNote. However the problem sometimes is with the user education as well. For example consider the below scenerio.
the actual domain name of the organization is galaxy.com . an intruder tries to spoof the domain via replacing a single character in the actual domain name like this galaXy.com or galaxY.com so that the end users recieiving the email would hastly review it .
I have one of the customers who are constantly facing such kinds of phishing attacks where the attacker is constantly rotaiting the characters in the domain so in this case adding the domain in bad senders group or creating a compliance rule to block such email which are spoofed from the domain are somewhat less effective to block such kind of attacks