Comment by subscribed

In my company I regularly see genuine, legitimate emails that carry several huge red flags, like these conveyed to us on trainings.

If I can plausibly claim I wasn't sure it was legit (ie it was sent from the outside form the sketchy looking host), I'd always report it internally as phishing attempt. Just to make the security work with it.