There could be a couple of things going on. But before you do anything else, restrict your VM/AA ports to local only.
Do this for all NuPoint ports and embedded ports.
Change the VM TUI admin passwords for NuPoint and Embedded.
Next turn on Record Transfer in your SMDR string.
Now, as for what happened, odds are pretty good that one or more mailboxes were hacked. The hacker would put in the fraudulent number in his personal contact list or extension number. I've seen this a lot with embedded. Not so much with NuPoint but it does happen.
Ralph