Once you know of a phishing attack (or malware activity) you need to check what users fell for it. For prevention, your run of the mill phishing campaign blasts emails at a large number of recipients,you can block domains it uses to prevent infection or visits to malicious URLs.
In essence,defenders need to monitor for and block attacker infrastructure.
In essence,defenders need to monitor for and block attacker infrastructure.