Análisis recibido del encabezado del correo electrónico de phishing

Nuestra organización había recibido un correo electrónico de phishing hace algún tiempo. El correo electrónico de phishing se envió desde una cuenta Comprometida dentro de la organización. Al ver el encabezado del correo electrónico, tiene los siguientes campos Recibidos:

Received: from SG2PR01MB0944.apcprd01.prod.exchangelabs.com (10.169.100.10) by
 KL1PR01MB0933.apcprd01.prod.exchangelabs.com (10.164.231.11) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4 via Mailbox
 Transport; Fri, 27 Oct 2017 09:39:59 +0000
Received: from SG2PR01MB0459.apcprd01.prod.exchangelabs.com (10.161.6.149) by
 SG2PR01MB0944.apcprd01.prod.exchangelabs.com (10.169.100.10) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Fri, 27
 Oct 2017 09:39:59 +0000
Received: from SG2PR01MB1343.apcprd01.prod.exchangelabs.com (10.167.76.21) by
 SG2PR01MB0459.apcprd01.prod.exchangelabs.com (10.161.6.149) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Fri, 27
 Oct 2017 09:39:58 +0000
Received: from SG2PR01MB1023.apcprd01.prod.exchangelabs.com (10.169.100.137)
 by SG2PR01MB1343.apcprd01.prod.exchangelabs.com (10.167.76.21) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Fri, 27
 Oct 2017 09:39:46 +0000
Received: from SG2PR01MB1023.apcprd01.prod.exchangelabs.com
 ([fe80::1867:203b:f12:380b]) by SG2PR01MB1023.apcprd01.prod.exchangelabs.com
 ([fe80::1867:203b:f12:380b%13]) with mapi id 15.20.0178.007; Fri, 27 Oct 2017
 09:39:46 +0000
From: xyz <xyz>
Subject: Notice
Thread-Topic: Notice
Thread-Index:
    AdNPBpX5rIMKqJjjTuGn/nek8DrJzgAAAC7wAAAAHRAAAAAUYAAAABTAAAAAFPAAAAAVUAAAABVAAAAAFwAAAAAXYAAAABWQAAAAFPAAAAAagAAAABHQAAAAFDAAAAAUYAAAABVQAAAAFFAAAAATEAAAABRw
Date: Fri, 27 Oct 2017 15:09:38 +0530
Message-ID:
    <SG2PR01MB1023229A62F250B921895178A75A0@SG2PR01MB1023.apcprd01.prod.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-MS-Exchange-Organization-AuthSource:
    SG2PR01MB1023.apcprd01.prod.exchangelabs.com
X-MS-Has-Attach:
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-Network-Message-Id:
    d5ec70e0-6238-44fa-694a-08d51d1ea8d5
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics:
    1;KL1PR01MB0933;27:Ajs/I3flIgzdhgTPkcBiDAtWGGFtnAcLkzCg2qbkKkkaVOYm0bU3qTPq7lPpvRQdDfDu8ZOJ2ApzRS02N2+usY7nLefJJqe/dQHB+Du9lETal7rOXfoYhdwmkWpgTUkF
X-Microsoft-Antispam-Mailbox-Delivery:
    ex:0;auth:0;dest:I;ENG:(400001000128)(400125000095)(750103)(520011016)(706028)(400001001318)(400125100095)(61617190)(400001002128)(400125200095);
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0

Ahora, las direcciones IP son direcciones IP privadas. ¿Esto significa que el atacante que había comprometido la cuenta de envío estaba enviando el correo electrónico de phishing desde nuestra propia red? ¿Significa que el atacante es posiblemente de nuestra propia organización?