We had several suspicious activities happen at once, along with this activity. I can't go into details.
That said, we contacted our vendor agent and they were super cagey about what was happening.
This is what leads me to believe they had an incident they aren't reporting.
Toss in the fact of these red herring like solutions/problems their helpdesk is providing to the stated problem - instead of saying - oh.. interesting - I wonder if their AV is false positiving us.. no, instead they blaming a website redirect, lack of TLS, etc.