Send an email to someone with employee type click-bait (juicy info about your company or a major competitor, whatever) and get drive-by malware that installs some VBA code in Outlook.
When that employee emails others in the company, the VBA is included and installs itself, tells the user his Outlook session has expired and puts up a dialog asking for the account and password. Employee enters the data and it is sent to a command and control server. That user is now pwned.
Send messages (seemingly from a pwned employee) to the CEO, CFO, Finance and Legal departments with VBA attachments that are installed. The VBA sends all their email to the bad guys. Not saying it's the way it was done, but that's one way to do it.