If they all contain DOC attachments the easy solution would just be to add that to the Incoming Extension Blocklist in SmarterMail. In this day and age most clients should be used to sharing links to attachments stored in Google Drive, Dropbox, OneDrive, iCloud, SpiderOak, OwnCloud/NextCloud, or SmarterMail's File Storage, instead of receiving or sending attachments direct.
We still use Declude, primarily because we can easily add global filters to catch content based on strings, which you cannot do effectively in SmarterMail (the base filters that come with Declude are "okay" but the ability to create our own in-house makes it invaluable). We had the same lag issue with Declude (due to it using as much CPU as is available) and eventually opted for using separate Incoming Mail Servers that run antispam and antivirus checks, along with Declude, before passing it to our SmarterMail server. Doing such took the delay down to a mere 2 seconds in most cases and 10 seconds max under heavy usage above and beyond peak.
The only other option would be to start capturing IPs (and HELO/EHLO) of the Spear Phishers and track them over time. You'll start to see them coming from the same providers, moving to the next provider every 7-14 days and cycling back through every 60-90 days, which is how they circumvent traditional RBLs (and the sloppy ones use the same naming scheme for their HELO/EHLO regardless of what provider they are using to send from that week). Once you've tracked them you can start being heavy-fisted with blocking entire IP Ranges (or HELO/EHLO patterns using wildcards) in your Smartermail Security Blacklist & SMTP Blocking. It's tedious, but it is definitely effective. Once you start seeing the same provider names over and over again you can just lookup all the IP Ranges assigned to that network owner and block them wholesale.
Our shortlist of blocked network owners (most of whom are in business only for Spammers) are:
myLoc managed IT AG
Interactive 3D B.V.
Global Layer B.V.
Global Frag Networks
It is amazing how much Spam originates from only 18 network owners on roughly 100 IP Ranges (adding Talos Intelligence, formerly Senderbase, to your RBLs with a heavy score will catch most of these top harbors for spammers without potentially blocking legitimate email traffic and tediously adding IP Ranges to your SmarterMail Blacklist every week.)
For SMTP Blocking if you add the HELO/EHLO of ylmf-pc you'll probably block far more than you ever imagined you might (they are also one of the biggest Brute-Force botnets).
Unfortunately there is no single silver bullet option for stopping all Spam. Spammers and Phishers have far more money to throw at it than the AntiSpam industry has at their disposal. It's a losing game where you have to use every tool in your arsenal, constantly change tactics, and at the end of the day just accept that you're only going to catch 90-94% and that some are always going to slip through.