Either a mistake in programming or you possibly have been hacked.

Hacked is what I figured. Just suddenly started happening.Most likely coming in through the voice mails UM port. Thanks!

We discovered the hard way early on that the 9100 is easy to hack. Fortunately, it is easy to secure.

Do you have any NAT set up to access admin from outside? If you do, change to lesser known ports. Even better, disable that and use remote access to a PC on site via TeamViewer or Google Chrome remote since a port scanner will easily show which ports are used for this.

Disable any trunk to trunk transfer unless a compelling need for it is required. If you must set up trunk to trunk transfer, make it as restrictive as possible. Local calls only or drill down to specific numbers. Especially on the voice mail ports.

If possible, don't allow international calls. If there is a compelling need for it, only allow to users that need it, and set up a verified code. Make it as difficult as possible since these can become costly calls very quickly.

Change all user's access codes to web programming in 90-28. Ideally, blank it. Hackers use these to set up off site forwarding.

Change all admin security codes. Especially the "necii" login. You can't do this unless you are logged in as necii. The default password for the login is easily found on Google. Compound this with remote access to WebPro and, yeah... Good hackers will bury some of their tricks deep in programming and escape any casual attempts to mitigate. With necii, the system is their oyster.

Check Modification history and make sure you recognize all users and recent changes made. This is how we discovered the necii and user hacks. It was a hard lesson and I share this to save anyone pain.

If you have IP phones accessing the system via NAT, check 15-05. Make sure someone hasn't set up a SIP phone and is using that to make calls or set up forwarding. If you have SIP phones, require authentication and make complex user names and passwords. Also make sure someone hasn't set up Mobile Extension to do the same thing. If you see an unauthorized SIP phone, delete it in 90-23, find the port in 11-02 (this can be a pain since a good hacker will hide it in the higher numbered ports), and remove it. In 15-01, check the extension list and make sure there aren't any mobile extensions set up that you don't recognize.

Carefully comb through ALL ports in 11-02 and remove something that is unrecognized. Note down what you removed just in case it was set up for something that was forgotten about.

If the system is licensed for InControl, you can use the reports to help you figure out if this is simply a spam or nuisance caller. I see what appears to be a 10-digit Caller ID (albeit a non-valid number). If this is a robo call, then you can block calls by Caller ID. If you don't have InControl, set up SMDR and use Putty to capture SMDR to a file. Takes a little work but you can get a surprising amount of insight into what is happening

While I haven't run across it, I understand Find Me Follow Me can also be used to set up unauthorized transfers.

I am not proud of this list. Many of these are on my wall of shame. I hope you find out what is going on.

My usual recommendation is do not change passwords on the system. The NEC only allows numeric passwords and they are the easiest to hack. What you should do is change the user names as they can be as complex as you want, uppercase, lowercase, numerical and special characters. The added advantage of this is if you loose the username you can log in from a phone (which is presumably secure on your site) using just the standard passwords and look up the username so you can't get locked out of your own system. Also check voicemail passwords as many people (for some reason) use their extension number as the VM password leaving another doorway open.