Virtualize our OS, Captain!
Quickly, before the attackers encrypt the dilithium crystals!
Since "most of these arrive via the inbox", it might seem logical that an office system would run a virtual OS specifically for email and sending / receiving attachments. It could be a cookie-cutter installation with access only to its own filesystem. If compromised, it could simply be blown away and replaced with a new one from template. An attacker could not -- without hacking the hypervisor as well as the OS -- get to system files, let alone the rest of the network.
Yes, it's still possible to hack through the hypervisor etc. But security is never about absolutes. It's always about raising the difficulty high enough to make hackers look elsewhere. Make the hackers' dev work too hard, too much effort for the probable return on investment.
And yes again, it would make office tasks quite a bit more complicated. Files would have to be shuffled through safe-zones and mandatory malware detection.
Is the extra trouble worth not having your company's highly lucrative stock-trading database encrypted?