Okay, so what was the the phishing attack ? Did they pretend to be from your support team to get login credentials ? It appears to be a very targeted attack, especially as they got your users email addresses.
ouch! very targeted then. I presume some user training has been applied then sorry you had the bad luck