So, the investigation will probably lead to an initial spear-phishing attack or other social engineering activity that provided some sensitive or leverage-able credentials. Unfortunately, this is too common and too much attention is paid to technical solutions and too little to simple, social vectors. People will click or reply "just to be on the safe side," when things happen. No amount of security awareness training seems to work.
Mitigations must be in place that nullify the act of clicking on an email link, replying to a fake support email, or clicking on a pop-up that claims your computer is infected. Egress filtering, white-listing and directory services settings can do much of that.
Unfortunately, too much of our effort is spent applying technical solutions to security problems and the human element is ignored. The human element (hacking the human) is the primary weak link in our security tool kit.
See how one can take a news post to promote a favorite stance?
Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.