>They sent malicious emails to the targeted parties tricking them to share their login information.
This is a reminder how naive we can be interacting with malicious individuals on the internet. Are there any useful platforms that teach internet safety in everyday life?
In most cases, forcing staff to use two-factor authentication is enough to block most of attempts. Employees can still leak their passcode onc (even though stealing codes is more difficult), but there is much less risk of persistent compromise.
2FA is important of course, but it is in no way a panacea. Especially SMS or TOTP MFA. It is near-trivial to add a phase to phishing that captures the second factor as well. Tools like https://github.com/kgretzky/evilginx2 support it out-of-the-box.