A web proxy is the technology used to block a user's HTTP connection to a malicious site according to configured policy. It acts as an intermediary between users and the internet, enforcing security policies and preventing access to harmful sites by inspecting and managing web traffic.

The situation where endpoint logs show a machine receiving an unusual gateway address and DNS servers via DHCP is indicative of a Man-in-the-Middle (MitM) attack, specifically a DHCP spoofing attack. In this type of attack, an adversary can set up a rogue DHCP server or manipulate the DHCP communication to provide false gateway and DNS information to clients. This allows the attacker to intercept, monitor, or manipulate traffic between the client and the intended gateway or DNS servers2.
References: Cisco's best practices for network protections and attack identification3, and additional insights on securing networks from DHCP attacks

The lack of data visibility needed to detect the attack is caused by the threat actor gaining access to the system by known credentials. This means that the threat actor either obtained the employee's username and password through phishing, social engineering, or other means, or used a compromised account that had legitimate access to the system. This would explain why there were no suspicious logs, alerts, or failed login attempts, as the threat actor appeared to be a normal user. References:
https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fund (Module 2, Lesson 2.1.2)