Popular ways to phish are:
The company web site has a list of important people in The Department. With email addresses. This is too easy.
Making a fake web site takes a bit of work. You decide an infected document is the easiest thing to do. You create a document that looks like it is from a sugar manufacturer in another country, announcing pre-launch samples of a new type of sugar that would work really well for donut toppings. Creating a tempting story around your document and your email will make it much more likely someone will open it.
There are plenty of tools available that can create custom malware for a document that will slip through most email filters. So you use one of those, and attach it to your email.