Something I did notice, is that most if not ALL the troubled emails seemed to have attachements, mostly only jpg images.

Other note: the outgoing emails were not all from internal users. Some were genuine relayed domains.
Example schematic path: third party SMTP server -> ASG Incoming proxy -> internal email server -> envelope rewrite -> ASG Outgoing relay -> final destination.
as well as: internal user -> internal email server -> ASG Outgoing relay -> final destination.

Hope that will help.