Currently, any user that gets a phishing email. The sender and domain is blocked, we have mimecast implemented that we use to do this.
The team I’ve joined is new and has no official process in place, Service desk block the sender and domain, then inform other users that it was phishing that received the email.
It’s a little clunky as we have had over 1,000 reports in the last 3 months.
Any help/advice is appreciated.