At my job every network login that did not have the "password never expires" checkbox checked in Active Directory was prompted to change passwords. Individually, user accounts did not have a expiration date. After looking more in depth I found a group policy for the entire district where passwords have a max age of 45 days. However, I don't believe that anyone specifically set that. Can a virus set that policy?
In addition we had to temporarily shut down our firewall that was incorrectly blocking secure traffic.