A component of my work is phishing and security awareness training. Training is important, but a well crafted attack is unlikely to be defended against by your median human. It only takes once to not inspect headers or DMARC indicators if the message is questionable. You need technical controls to do a lot of the lifting (secure authenticators negating credential exfiltration, aggressive malware detection, etc). We need better tools to detect and quarantine code transiting email that should not be executing. This is interestingly a similar problem to what providers of function running systems (lambdas and low/no code SaaS) face when executing arbitrary code as part of customer requests (sandbox, security observability and boundaries, etc).

Point being these are not supposed to be median humans this is the Uk equivalent of the NSA. GCHQ are hackers and code breakers.