I'm coming to see if others have encountered this before, and can give any insight into what I'm really dealing with.
Yesterday a user's mail account sent out 2 emails. Between the two of the emails we believe it encompassed almost all if not all of her mail contacts. In those emails was a link to a 'drop box' file. The link took recipients to a page where they saw a 'drop box' page with prompts to login to various email providers. As best we can tell it was just a password capture, that when someone supplied an email address and password it took them to a file hosted publicly on google docs. The file was about wealth management.
Curiously if a recipient responded to the email asking questions it would generate an automatic response 'confirming the legitimacy of the email'.
Taking the user's computer offline seemed to stop the automatic...