The first line of email defense is a properly formed SPF record “Paper’s Please” Those words denote fear. Some official, authority person (often with a gun and with lots of their co-workers with guns) is asking for identification at a checkpoint.
We always have the Paladin Sentinel Monitoring console up during the day. I am still seeing mass use of the domain administrator account to RDP into servers and lots of daily RDP connections in general. There are legitimate reasons to RDP into servers.
You all may have heard Scott talking about “those ex-NSA guys at Huntress” he talks to. Bob and Scott have been stressing the importance of layers of security for proper cyber defense for many years now. CSI uses Huntress on all Windows machines.