then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.
Frank doesn't sign his e-mail that way, so something must be up. Or, I don't know Frank personally, why would he send this to me? Or, Frank always sticks his head in my office right after he sends and e-mail and asks "did you see my e-mail?", so this must be fake. If your investigations that allow you to "spear phish" are good enough to solve these sorts of problems, you don't need to phish for stuff, you've paid off the cleaning crew and they can just take the papers.
As for technological solutions (after all, this is /. ), we can assume that the e-mail was flagged as arriving at our e-mail server from an external server (i.e., not authenticated against our network), so it has a header added that causes it to be filtered by e-mail rules to not go directly into the inbox, but instead into the "external contacts" folder. Yes, I know most companies don't do this, but they should. My company adds headers, but doesn't automatically filter...that's up to the user.