Whatever technical defences you (and I) rely on, there is a probability that the threat actors will find ways to bypass them:
Microsoft 365 anti-phishing feature can be bypassed with CSS (bleepingcomputer.com)
If the phishing email gets as far as your team member’s inbox, they had better be able to identify a credible threat if they see one.
Clive Catton MSc (Cyber Security) – by-line and other articles