My guess is that there were still some hosts allowed through the block (e.g. whatever is writing to that NAS), and that they were accessing the NAS with frequent new connections. The firewall only tracked transport layer state so the bad guy was able to hijack an existing session by sneaking in a correctly-numbered TCP segment inside an IP packet with his own IP address as the source.