First is the user training and guidance that they should not click or share / open links. Also you can review the 90 days free MS Defender and evaluate policies and settings for the tenant.
Review the protection you can implement and start with basic policies to restrict the phishing mails, spoofing.
Share this with the users so they are trained and aware of the phishing mails - https://support.microsoft.com/en-gb/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44
Hope this helps.
Please Accept the answer if the information helped you. This will help us and others in the community as well.