Enterprise phishing control fails because most defenses protect the inbox while attacks are built on external infrastructure: spoofed domains, fake social profiles, hijacked ads, rogue mobile apps, and increasingly, manipulated AI search results. Email filters and awareness training catch the delivery. They do nothing about the infrastructure behind it.