If someone connects to a network which has been infected and they've not applied the appropriate patch (MS17-010) it looks like they're in trouble if they're running Windows and don't have a firewall blocking incoming connections.
So first person in a network has to have fallen for the phishing attack, but once it's in the network it can spread via the ETERNALBLUE exploit.
So first person in a network has to have fallen for the phishing attack, but once it's in the network it can spread via the ETERNALBLUE exploit.