Tracking Spoofed Email

Having an issue resolving spoofing of emails from our Org using Exchange 2013

We use Trend Micro Hosted Email Security, but this seems to bypass that and the SPF record.

Here are some example headers from a received email seemingly from an Internal address to that very same address, yet it seems that it has originated from an IP in Sudan? 

I have replaced our server name, server IP and email address with generic names. 

Received: from SERVER.DOMAIN.local (SERVER IP) by SERVER.DOMAIN.local
 (SERVER IP) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Mailbox
 Transport; Sun, 11 Nov 2018 14:26:01 +0000
Received: from SERVER.DOMAIN.local (SERVER IP) by SERVER.DOMAIN.local
 (SERVER IP) with Microsoft SMTP Server (TLS) id 15.0.847.32; Sun, 11 Nov
 2018 14:26:01 +0000
Received: from [102.181.140.237] (102.181.140.237) by SERVER.DOMAIN.local
 (SERVER IP) with Microsoft SMTP Server id 15.0.847.32 via Frontend
 Transport; Sun, 11 Nov 2018 14:26:00 +0000
From: LOCAL USER <LOCAL.USER@DOMAIN.co.uk>
To: LOCAL USER <LOCAL.USER@DOMAIN.co.uk>
Subject: Account Issue. Changed password.
Thread-Topic: Account Issue. Changed password.
Thread-Index: AQHUecp4+RHqe1LAsk6VrVM5UkpeuQ==
Date: Sun, 11 Nov 2018 15:51:26 +0000
Message-ID: <751565660.201811111739@DOMAIN.co.uk>
Content-Language: en-GB
X-MS-Exchange-Organization-AuthSource: SERVER.DOMAIN.local
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tm-as-user-blocked-sender: No
x-tm-as-user-approved-sender: No
x-tm-as-result: No--17.840300-5.000000-31
x-tm-as-product-ver: SMEX-11.6.0.1051-8.200.1013-24216.004
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

The message seemingly bypasses the hosted Trend filter as the message cannot be traced in the logs, i assume as it is treated as internal. yet i don't see the email when running a mailbox search in EAC>Mail Flow>delivery reports.

If i run  "Get-MessageTrackingLog -MessageID....." using the Management Shell i see the email and using the "Select-Recipients,Sender,ConnectorID" i can see the To and  From addresses are the local email address and connector used was the default connector for the HubTransport role.

I am looking into implementing DKIM and Dmarc records but i fear it would not stop something like this. 

Could anyone offer any insight or assist me in working out how they have done this?

Many thanks