Phishing and credential leaks have always been difficuilt to block with technology that’s currently available. Relying on email spam filters might reduce the volume to a point but are likely noticing some still come through. While all of the mitigation techniques you have will offer protection, user education and simulated phishing emails are extremely important too.
One mitigation technique is to create a rule and route emails for approval coming from the outside your domain that contain attachments with the following file extensions .html, .htm, .aspx, .asp, .shtml, .zip and .one. As you monitor the emails to approve you can add exceptions to your rule. Some secure email systems, like Cisco, send a html attachment for to view the secure email.
Phishers are getting creative and they often embed your domain name in the link of the URL so when the unsuspecting employee clicks on it, it will show your domain name on the web site. This way they can send a mass phishing campaign and don’t need to change their code. You can create a rule and route emails for approval from outside your domain that contain your domain name within the href tag of the link. Add the rule that matches the pattern in the message subject or body to be: <a [^>]*\bhref\s*=\s*”[^”]*YOURDOMAINNAME.*?<\/a>
Have other suggestions, leave a comment!