I wonder how many of the keyboard warriors in this thread have any experience of running very large and incredibly diverse networks like Oxford University's.
The guys handling security for Oxford are highly experienced and capable. Oxford's network is far more complicated than a typical University.
Yet they apparently have not implemented 2-factor authentication or rate limiting for students' email accounts...
As others have pointed out, there are a few very simple ways to deal with this sort of thing. Rate limiting alone would like take care of the problem. This is probably a simple config update on the smtp server.
Google was picked on b/c it was an easy target. I'm sure there are plenty of other fishing sites out there that don't use Google, yet those weren't blocked. This a seriously boneheaded way to go about things. Unless you are just going for media attention.
they run the mail on Microsoft Exchange I think and I don't think there is an easy way to use 2-factor authentication with Exchange (as opposed to Gmail).
There are numerous solutions for two and multi factor authentication with exchange. PIV/CAC as one example. There are also other soft solutions for 2FA.
have any experience of running very large and incredibly diverse networks like Oxford University's
The fact that they do something doesn't mean that they do it well. As others have mentioned, email filtering in Exchange (bizarre email platform for a university, but ignoring that) seems like a rudimentary starting point here.
The guys handling security for Oxford are highly experienced and capable. Oxford's network is far more complicated than a typical University.