Re: victim being the security company's
That would be the bit that misfired in your brain.
Order of events is:
1. Company is hacked.
2. Company admins belatedly discover serious anomalies in the log files.
3. Company hires security boffins to find the problem.
4. Security boffins find malicious dll file on the OWA server.
So no, the security company was not granted prior access.
Were I to speculate, I'd guess an admin account that was used for mail. If you grab the credentials from the login in a wireless cafe (think StarBucks, back in the day it was the only reason I went there) and realize they are admin credentials when you log into the OWA system, p@wnage is sure to follow.