Was the attack vector .docm files through email?
In that case the .docm itself contained w97downloaderM which then downloads the encryption payload i think, but sep still failed to block any of it.
I think this should be expected and prepare for in advance, malicous payloads should never reach the endpoints.