The most common exploits involve transfers via DTMF (*2). Confirm that in Advanced Settings, ‘Disallow transfer features for inbound callers’ is turned on. If you don’t use these codes, disable them altogether; see
It is also possible to set up callback and/or making an outgoing call from voicemail. These are disabled by default but check VM Options for the extension involved. An attacker can abuse callback by spoofing caller ID with the number he wants to call, leaving a message, then calling in and choosing the callback option.
The Asterisk log should show what happened.