Sending mail server.
“A large proportion of targeted attacks are sent from legitimate webmail accounts....."
In these cases the IP address of the sending mail server is highly relevant. It tells us which webmail providers need to get off their fat, complacent arses and beef up their security to stem the tide of sewage flowing from their shite services.
Here's an idea. If the webmail providers' spam filters can pick up spam with very high accuracy inbound as they do, why the f*** can't they run outbound mail through the things? They could provide an O/B spam folder of things wot were blocked, giving the legitimate user the option to either flag individual items[1] as not spam or, far more likely, delete the lot and change their sodding password. They wouldn't even need to run the spam filters aggressively O/B, keeping false positives to a bare minimum, as just blocking the bleedin' obvious stuff would render this route unusable to spammers.
[1] One at a time - with authentication. We don't want anyone scripting that.