Did your boss just send you an urgent and unusual request? Maybe they're asking for money, or your password?
Before you do any of that, check the sender's address, and look very closely at it. Some of the more sophisticated attacks will even buy domains that look very similar. Something like: bill@microssoft.com.
When you create an email address, you can put whatever name you want on it, and that will appear as the sender. So, if you're the lead of an organization, you can expect that to be discovered, and for hackers to create accounts and spam your staff with requests.
This is not the fault of the user being impersonated. It does not mean their account is compromised. Nothing they have done contributes to this type of attack, and they do not need to take any action (e.g. password reset).
Mitigation Tactics:
Employee education: Add a section to your employee handbook that speaks to technology threats they should be aware of, such as this. Additionally, run simulations of phishing attacks. With these simulations, you can identify who those that would benefit from additional education.
Microsoft 365 Anti-Phishing Policies: There are settings that can be selectively enabled in Microsoft 365 to help combat this. We recommend enabling those for senior management, as they're most often the ones impersonated. Details here for admins.
Ensure you have identity and device security enforced, so that when someone does click a link, that their identity is protected with multi-factor authentication, and that the device has modern antivirus protection.
Sometimes attackers ask for money. This is cannot be controlled with IT security, and would get into the area of financial controls, but should be considered. Approval workflows for payments may help combat accidentally paying out to a criminal in these scenarios. Consider requiring additional training and testing for anyone with the ability to purchase or send money, so they are adept at spotting scammers.
We implement and continually evaluate standard protections against this an other attacks as part of our Managed Services solutions. Contact us to discuss how we can protect your organization from these and other modern threats.