Spammers operate by sending ridiculous volumes of email to as many email addresses as possible. Some of those addresses may be derived from lists harvested from various places (including a hacked address book) or just generated "on the fly" aaa@....com, aab@....com, ...
Many, perhaps most, of those target addresses will either not exist, or will have spam filters that will reject the incoming spam. The receiving servers may return those emails as "undeliverable".
Whether spammers have actually hacked someone's email account and are using it to send spam, or are just "spoofing" a sender's emails address, all the "undeliverable" messages come back to the stolen/spoofed address.
Spoofing is what has happened to my business email address. The spammers haven't hacked my account, they are just using my address as the "sender". (As a side note, when your email address shows up as the "sender" in a spam mail, it doesn't necessarily mean you've been hacked. Probably, but not necessarily.)
So when a spammer uses my address in the "sender" field and sends thousands of spam mails to non-existent accounts, many of those bounce back to my inbox. I've had days when multiple thousands of blowback emails have shown up.
What you need is an email protection/filtering that has a directory management feature. This will help prevent backscatter (or blowback spams) by using the information from the LDAP directories. By importing the LDAP directories, that email protection/filtering should be able to recognize legitimate email addresses and domains in your organization.