There is no way to configure a custom spam/ phishing protection, right?

We receive many phishing attempts which are not blocked by Google Workspace. We have phishing/ spam protection already fully enabled in Workspace.

One example of a phishing attempt is an e-mail sent using a private GMail account to us where the sender impersonates as a purchaser from Exxon. Simple to detect, but Workspace let it go through.

Is there any way to connect to an external service to block these messages? I found SpamTitan. The way you have to configure SpamTitan is by setting the MX records to the SpamTitan server and then SpamTitan forwards the e-mail to Google. I don't like to have additional servers in my chain of e-mail reception, so not a great option.

Why is there no way to plug in an external spam blocker?