"1 of my vendors had their email compromised recently. the attacker the sent out emails with docs to sign for renewals via ms office/outlook links."
Also, whatever your mail server situation is, whether it's a hosted provider or in-house, I'd suggest looking into some kind of email malware/spam scanner/filter such as Spam Assassin as well as other doing everything you reasonable can to secure/harden your email server. It has been over a decade since I've done any of that, but it seems to me that a lot of good work has been done in that area and this email probably shouldn't have gotten through a current secured/hardened email server blacklists, bayesian filters, domain keys, etc, etc.
