Dealt with it on Friday, I created a SPAM filter rule based on subject line and email body to quarantine any inbound or outbound that matches. Also created an Exchange transport rule to send me a notification for message approval if subject line or body matched email was attempted to be delivered from an internal to internal to prevent any more spread.
So far so good.
We also forced an update of endpoint protection and full scan on users computers, as of this morning Microsoft Endpoint seems to be cleaning it.