Mail server

Email hacking or just an annoying spammer sending fake emails?

There is a company website and mail on the website domain - we use the hosting mail server.
A month ago, one of the mailboxes (let it be: [email protected] ) received a letter with the following content:

Subject: [SPAM] Delete Message After Reading!
Hello!
I'm a member of an international hacker group.
As you could probably have guessed, your account [email protected] was
hacked, because I sent message you from your account.
Now I have access to all your accounts!
For example, your password for [email protected]: 89_ndb4
Within a period from July 30, 2018 to October 9, 2018, you were infected by
the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and
messengers.
Moreover, we've gotten full damps of these data.
We are aware of your little and big secrets...yeah, you do have them. We saw
and recorded your doings on porn websites. Your tastes are so weird, you
know..
But the key thing is that sometimes we recorded you with your webcam,
syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives,
and your intimate one...
Transfer $800 to our Bitcoin wallet: 1GdegtNpYcvoCPsMmyiSkZARDdAmYuXGXU
If you don't know about Bitcoin please input in Google "buy BTC". It's
really easy.
I guarantee that after that, we'll erase all your "data" :)
A timer will start once you read this message. You have 48 hours to pay the
above-mentioned amount.
Your data will be erased once the money is transferred.
If they are not, all your messages and recorded videos will be automatically
sent to all your contacts found on your devices at the moment of infection.
You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

We asked the owner of this mailbox about the correctness of the password indicated by the attacker in the letter: 89_ndb4 - the answer was received: there was never such a password, but just in case, the password for the mailbox was changed.
2 weeks passed and then it started - on behalf of the employee from his mailbox, spam began to go to the email addresses of his contacts - not all, but selectively somehow ...
The employee uses Outlook 2016, a fresh Doctor antivirus is installed. Web, the password was changed again.
Headers of one of the letters:

Subject: [SPAM] Casino 300% bonus.Win chance 100%
X-DrWeb-SpamState: Yes
X-DrWeb-SpamDetail: Vade Retro 01.408.60 AS+AV+AP Profile: <none>; Bailout: N/A; ^SuspectDomain (49);^A309-01 (20);^Coastal-F400-19-bis (300);^D380-01 (300);^TextOnly--J392-19 (300);*Casino (300)
X-DrWeb-SpamVersion: 01.408.60
DomainKey-Status: no signature
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
X-No-Auth: unauthenticated sender
DKIM-Filter: OpenDKIM Filter v2.10.3 domen.ru 2EE0B2721B85
Received: from [51.36.197.113] (unknown [51.36.197.113]) by domen.ru (Postfix) with ESMTP id 2EE0B2721B85
for <[email protected]>; Wed, 31 Oct 2018 01:39:50 +0300 (MSK)
Message-ID: <[email protected]>
From: "[email protected]" <[email protected]>
To: <[email protected]>
Date: 31 Oct 2018 03:25:45 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912

I check our domain at https://mxtoolbox.com/domain/ - there are no errors, only warnings (notifications):

What else to check? Where to look? What to pay attention to?
Do you think it's still hacking the employee's computer or something with the mail server?
How to stop this spam mess.