Here is short summary taken from the linked Reddit post:<p>* root cause was a piggy-backed mail conversation where a legitimate mail correspondence/dialogue was continued by a hacker who sent over a macrofied .doc; the recipient opened it because it looked legitimate and would you please "Enable Editing"<p>* that system infected/contacted various other systems in the network; those systems were cleaned superficially<p>* two days later the firewall noticed outgoing traffic, so the infections were still ongoing<p>* suspicious activity was discovered on the domain controllers<p>* IT decided to shut down the internet connectivity<p>* the whole domain is going to be rebuilt<p>* although there was a policy in place to limit local admins, some systems/accounts were NOT locked down, for example some POS "presenter" software that needed local admin<p>* as to why the domain controllers were compromised: it is possible that the admins logged into infected systems with a domain admin to clean those systems<p>This whole thing really is special, because there are the usual stereotypes in play:<p>* macros weren't disabled company-wide or at least restricted<p>* local admins are a thing<p>* software that NEEDs local admin is still a thing<p>* admins might (!) have used domain admin credentials to enter suspicous systems<p>...and it happened to Heise, of all places.