Excuse me, but that's not very useful. What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules.
I've exactly the same problem as raimund. Malicious attachments undetected by ESET and many other vendors (they get detected after few days), with the from address spoofed (reply-to is another address, similar to the spoofed one).
Isn't there anything else that can be done? I've already configured rules to quarantine all emails with macros-enabled attachments, but I got one today that contains a malicious Excel in xls format, not xlsm. It's not possible to simply quarantine all emails that include a xls file