I too faced the same issue on same day similar pattern
we have a smartermail enterprise 12.5 installed and one of the account on one domain was hacked and its password was set as user name itself.
Luckily I had the throttling enabled 100 mails per hour and the client complained that all mails are bouncing
Still I didn't get any idea how the password got changed in the administration log I couldn't find any such information.
Does smartermail provide a log for the password change, ip, user and related information other than one which can be created using events?
Also the threshold notification I received was also surprising
"The sender fidelity2015 (at) yandex.com has exceeded the auto spam notification threshold of 25 messages in 5 minutes"
It was not on the real user name which was hacked
I doubt there is some security hole which need to be patched...