This attack is hard to identify for employees because they never see the download or take any action other than visiting the employee website to have their credentials stolen. In this case, the attackers leveraged a default setting of sending the username and hashed password to a server. It is a best practice for organizations to change the settings of Windows workstations to not send credentials to remote SMB servers, or block SMB network traffic from leaving the corporate network perimeter. Because the threat actor compromised the employee websites, it would make it harder for employees to identify if their passwords were stolen in the attack. Since it is hard to identify who may have been impacted, anyone that went to those websites should change their Windows account password. Because employee passwords can be stolen or guessed, it is important to implement Multi-Factor Authentication (MFA) to protect accounts from unauthorized access even if an attacker has a password. It is also critical to monitor systems that can be remotely accessed for early signs of attacker behaviors, regardless of the method used. Endpoint Detection and Response (EDR) tools help security analysts detect suspicious behaviors on workstations and servers to stop attacks in the early stages.
More information on this attack can be found here: https://www.bleepingcomputer.com/news/security/russian-hackers-tried-to-steal-san-francisco-airport-windows-accounts/