A phishing attack is most likely to come from an external email address that has been spoofed to look like an internal email address. This can be done by subtly changing the email domain to look like company domain. For example company domain company.com could spoofed as cornpany.com ("r" and an "n" instead on an "m").
Using a Stationery Policy that adds a header to all external emails, can help alert recipients that it may be a spoofing attempt. For example the stationery policy could use the following:
This is an external email.