There's no really simple way to deal with spam, Dan. It's a juggling act...we figure out a new way to stop it, spammers figure out new ways to get around the blocks.
Realistically speaking, most threats out there today that are used to spam will forge the information about the sender...so if User A gets an email from User B that's spam, it's usually *actually* User C who sent it...investigating User B's computer usually will be fruitless.
Check your mail server and network logs...you could see one (or more) IP addresses suddenly sending a whole bunch more email traffic...I'd recommend going over those computers looking for abnormalities and work with support to submit any suspicious files.
This traffic could be coming from outside your network as well. Work with your network team to see if they can find an increase in incoming email traffic from an external source that could be blocked at the perimeter.
However, if these logs don't show anything (at least glaringly obvious), you're going to have to do some sleuthing along with some in-depth log analysis with your network team to try to identify the suspicious traffic, trace it back to the source, then focus on that machine (or machines).
As always, ensure that your AV solution is current with current definitions and regular system scans, as well as ensure that your OS is fully patched.