Someone (or some script) has been sending out SPAM (HotMail Phishing scam) from a couple accounts.

This seems to be beyond simple guessing of passwords.
Accounts get locked out if more than 3 attempts, so not a dictionary attack.

The accounts show a forwarding address to a gmail account that has an auto reply to somewhere in Mongolia. (That's a dead end.)
(Presumably to collect bounce notifications.)

The bigger question is how are they getting into the Zimbra configuration to modify the forwarding address?

These accounts, when found, get locked and the passwords changed.
But within hours, they are sending again.

(These are not bad customers. These are admin accounts!)

Is there a way to inject an SQL query, or a command through the webmail interface?

There are no strange IPs in the audit logs, except for failed attempts.

Anyone have any knowledge or history on this?

If the server is vulnerable, that can be fixed.
But I need better tools than just searching through log files after the fact.