It's a tricky problem.
The emails we see most at work are "From" "CFO's Name <rando-email@gmail.com>" - The email address itself is completely valid, and passes all traditional anti-spam systems (SPF, DKIM, DMarc, etc) but the name portion of the email has been modified to match one of our senior staff.
Usually the email domain is a major provider (gmail, hotmail, yahoo) but sometimes the email has been relayed through someone else's (probably compromised) mail server. I can't block the major providers. The compromised servers eventually end up on someone's RBL list, but we've already received the malicious email by that time.
There are spam filter services that claim to identify and block these sorts of emails, but I've never used any.
We could (I suppose) build a template to look for any of our local users' names combined with non-official email addresses and deliver them to 'Junkmail' but then you'd have problems with:
* users' personal emails - in case someone is locked out of their business email
* suppliers and collaborators (much of the spoofed emails we get also look like "frequent supplier's name <rando-email@gmail.com>" or "sister-organization-user's-name <rando-email@gmail.com>"
To truly identify emails like these you would need a system that keeps a record of which email addresses and names get involved in ongoing productive conversations, then do something different with emails that use the same name portion but a different email address.
I took a different tack and signed up for end-user security training from
KnowBe4. Every user is required to take a couple online courses in how to identify fake emails, then, if they get fooled and click on any of the links or attachments in a weekly fake email they win an extra 20 minute online training session in how to identify malicious email messages. The fake emails are designed to mimic current malicious email techniques, or you can build your own templates.