Configure further Office 365 anti spam options
Enable 2FA where possible
Enable Multi-Factor or 2FA everywhere - you are harder to phish if its enabled
Consider hardware tokens universally, if not possible hardware for users that can make financial decisions.
Software 2FA should be configured for all users
The following links provide additional information and details re Office 365’s extensive anti-spam configurations:
https://protection.office.com/antispam
https://outlook.office365.com/ecp/Antispam/EditEnduserSpamNotification.aspx.
Using Transport Rule to get copies of emails:
Managing International Spam
On the International Spam settings, you can filter out email messages written in specific languages, or sent from specific countries or regions
https://www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/#International_spam
Attachment Blocking
Ensuring RFC-compliant From addresses
Malware Detection Policy
https://www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/#Anti-malware_filter_policies