In an educational institution with 30k+ accounts, we are receiving 1 or 2 phishing messages each week on every mailbox.
They are asking for the password of the mail account.
At first they were quite easy to distinguish from real messages. But they are getting better, using real logos and redacting better.
They have a forged "from" header and it is easy to catch them watching the "reply-to" header.
For now what we are doing is restricting outbound messages to the phisher mail address.
We were thinking about deleting the phishing mails already saved on the mailboxes: DELETE FROM mail_item WHERE ...
Is this the correct aproach?
What do you suggest?