That seems like it was the case, but the attackers got access to lower privileged accounts and used them to find who had that access so they could target them.
The key being "proper training". Those few god-level admins should be drilled enough to defeat a phone-phishing campaign. In fact, they should probably have custom procedures to look after their own credentials.