I work in IT, and part of ITs duties is managing the enail filter and investigate emails detected or reported as phish or spam.
We don't normally see the actual email, but we get basically all the metadata, you can see all sender information, super useful when dickheads try to spoof the sender, we see all URLs in the emails, with a wuick summary of if it is a bad URL, attachments as well, they all get scanned and we get warnings about them if shit is bad.
I take great pleasure in blocking senders and reporting spam/phishing to improve the global filters.
If a bad email campaign has gone through the filter we have the tools to find the emails in the differebt mailboxes and delete them, the system is also capable of doing this automatically if it detects bad stuff after delivery.
Meanwhile microsoft's exchange online can't even prevent attackers from spoofing microsoft.com as the sender. I nearly got caught by a fake quarantine notification once. The thing that made me suspicious was that the fake login page only took a second to load. The real one is never that fast.
The entire quarantine BS is trying to reinvent the wheel of the spam folder and causes a shitload of headaches for our internal IT.
Yes, I even ran every character through unicode search to make sure that none of them are different characters than what I thought. All of them were ASCII.