Their email filters missed these threats. Good thing the users didn’t.