The one email address I have that receives frequent spam - which gets reported - is an old Hotmail address. Apart from SEO and the like service offerings* the phishing spam it receives is almost entirely pretending to be from one of the numerous Microsoft email brands. A check in the server spam folder shows that almost all other phishing spam such as advance payment scams is trapped and virtually none of the fake Microsoft mail is trapped. I'd have thought that there should be sufficient reports for NCSC to start having a quiet word with Microsoft to tighten up.
NCSC need to have words with their own marketing department. Earlier this year the responses to reports started including links to their own puffery making them look just like phishing emails. The link in TFA to the report is non-functional with JavaScript blocked. Given the point made in the report about JavaScript framework poisoning they really should know better than to (a) depend on JavaScript so heavily on their own site and (b) send out emails pointing to it.
* These generally get a response pretending to be a supplier questionnaire designed to suck them in before gently leading them to the conclusion that they've paid good money for a crap spam list.