I'm sorry but the boiler plate answers to this problem will not do. The reality is that many of us started to see that as many as 20% of the items in our "in Box" are from OBVIOUS fake senders. How they get through the Spam filtering is the fault of Apple, not the end user (who is always burdened with fixing the flaws in software that never get fixed).
To wit: here is one of many variations on the sender's address:
infopysiqgonpzxuwvkdtx0c@quytjm8z54ejf9etwbtn.mail-nat.workday.com'.
Sometimes there are TWO domains stuck together with two @ symbols. I know Apple can end this easily. So why won't they? It doesn't matter how many times you flag the message, mark it as spam, block the sender, and have it all go to the trash. They are back the next day with 20 more phishing emails from roof gutters to getting poisoned on Camp Lejeune. I am sure that your email servers can nip this in the bud. So, why won't you?