Email Threat Protection uses multiple different test vectors to combat phishing messages destined to your server. The largest ones are the Spearphish test, Signature test, and Fingerprint test, although we have others that will hold or contribute weight towards the suspicious characteristics that phishing messages contain.
A few helpful practices:
1. Allow trusted external IP’s or reliable references from headers using mail rules for anything legitimate that originates from external sources.
2. Consider adding your own domain to the Blocked Domains list. This has proven effective at preventing spoofing.
3. Hold mail from countries you don’t plan or foresee conducting business with.