The only time that a phishing attempt actually worked for our company (afaik) occurred when someone emailed an executive in our company (ugh) with a docusign looking email with content that he was EXPECTING. it redirected him to a fake Active Directory sign in link that he fell for. Immediately after entering his password his outlook spammed his entire contact list with the same phish except addressed to them specifically from his actual email, with a link that looked like a shared Office 365 document. It wasn't good.