"went to a user in the goods receiveable department."
even RSA got 'hacked' in a similar way, when an attachment with a payload was apparently opened [in 'virus outbreak' aka MS Outlook] by a low-level accountant that was "on the network".
general e-mail rules to avoid this:
a) *NEVER* preview in HTML
b) *NEVER* even VIEW in HTML
c) *NEVER* allow 'inline whatever' to be previewed (or even VIEWED) in an e-mail
d) *NEVER* click on a link in an e-mail. *NEVER*. [I've received fake 'unsubscribe this' links in legit-looking bulk mail that appears as if I were maliciously subscribed against my will, most recently to 'wired', which I forwarded to their abuse department instead - had I clicked, who knows what would've happened!]
HTML mail is *EVIL* and should be avoided. Doesn't matter how many cat-pic chain mails get forwarded that way. If you must see it, save the attachments, scan them, THEN view them.
This level of security requires strict I.T. policies *AND* compliance. However, if you can actually *GET* users to comply, it will save your ass at some point.