The attacker sent multiple emails to multiple addresses on my company's domain. They used spoofed addresses to make it look like accounts were compromised and blackmailed people saying they will release my colleague's browser history if they aren't paid.
