Umm, so what did it actually download an  the user allow to run ? I guess it wasn't a .docx, it must either be something with macros (.docm) or some kind of executable, either way the user must have allowed them to run for it to be able to hijack outlook to propogate.

The social attack is one that many of my users would clearly fall for, but having clicked it I would hope that windows makes it pretty clear this isn't the file they were expecting.

Curiosity killed the cat and lets phishers install viruses.

Social engineering is the most dangerous attack. You can only try to educate your users.