Three possibilities.
- The password is a unsecure password.
- The SIP credentials were emailed to the user and their email account got hacked.
- The password was stored in a unsecure place, or it is in EPM and is exposed publicly.
However, IMO: blocking outbound calls is a fat band-aid. You should first change the password, allow SIP access from trusted sources and then try to figure out how they gained access.
A while ago, I discussed on the #OpenSourceLounge how you can use an existing tool in FreePBX to implement a sort of 2FA on every outgoing call.
I was planning on presenting this at AstriCon as well as other techniques how to detect and get notified when there’s possible malicious activity on your PBX. But unfortunately, the AstriCon dates do not align well with the Jewish holiday of Sukkot. So maybe next year…