" It's Doris in HR clicking an email link"
On the other hand, it's so easy to blame Doris - the person least likely to be able to distinguish the malicious material from among the daily cascade of messages.
I'm most interested in two things:
 how did the malicious content arrive at the desktop, instead of being filtered out before it got there?
 the almost universal ease with which malicious code launched from one desktop manages to infiltrate entire corporate networks.
Maybe we should not blame Doris or even "IT" - ideally not blame anyone, but instead reconsider the robustness of our infrastructures. The ideal is intrinsic resilience against the unexpected so these (commonly simplistic) attack vectors merely bounce off harmlessly. In my professional experience, the fundamental failing is not usually a technological one, it's lack of effective management oversight. This leads to gross mismatch between assumptions and realities, as was so evident at Equifax, and the result is inevitably an unwitting soft target.