All our incoming email is scanned for infections with an anti-virus scanning that is update every few hours, this stops most of the attacks but every couple of days we get a few phishing emails that are undetected when they arrive with a new attachment e.g new_purchase_order.iso ... we quarantine all potential infections attachments so (touch wood) we're currently OK. But we don't assume that we will not get infected so everything is backed up by an off-line system.
While some on-line access systems can be infected, the bulk of malware infections these days are a result of people opening emails with new infected attachments that the anti-virus vendors haven't discovered for the last hour or so.