Hi @J-3804 ,
By default, there's already a built-in anti-phishing policy that contains a limited number of anti-spoofing features enabled in Microsoft 365 organizations with mailboxes in Exchange Online. It can be viewed in the Anti-phishing page(https://security.microsoft.com/antiphishing).
Considering that your organization is still getting phishing attack, you can increase that protection by refining the current settings of the anti-phishing policy or creating custom anti-phishing policies with stricter settings that are applied to specific users or groups of users. See: Configure anti-phishing policies in EOP.
Furthermore, there are some additional features included in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 which can help protect your organization from phishing threats. For more information, hopefully you can find the document belwo helpful:
Anti-phishing protection in Microsoft 365
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.