Fight against spam

How to find out which machine spam is coming from?

Hello!
A week ago, several employees received letters supposedly from clients, with an attachment, a .doc file. They opened it, but the attachment "as if it did not open" after which the employees clicked answer and wrote that the attachment did not open. After that, our company was flooded with spam. Moreover, spam came as if from a real person within our company. In the body of the letter there was a real correspondence as well as a similar attachment, .doc
Set up DMARC on hosting. Letters began to come less, but still their flow is great. Ran almost all of the CureIt and KVRT machines. somewhere something was on the little things, but that's all or the mailpv utility has been lying on disks for a long time, they themselves downloaded it or traces from DriverPack Solution. Nothing else was seen. Letters began to come already as if from our partners, with whom there had been correspondence before. And the letters also contain real correspondence. Those. they took a real letter, attached a file to it and sent it as if to the mailbox [email protected], but in fact the addresses are left.
I understand that since the letters come with real correspondence, then the matter is in some kind of PC, but how to calculate it? Those machines that have not yet been checked should not send spam, since there are no letters in the mailboxes that come in the form of spam.