I have a customer that got hit with Toll Fraud recently, but I have not been able to find how it was done. The customer has a Toshiba CIX100 and LVMU voice mail system with PRI and digital phones. It does not have any VoIP devices or even a connection to the Network. They claim during the incident that they observed approximately 4 lines busy with nobody on the phone. They have 7 virtual lines/answer points on the phones, so it points to the vulnerability being in the Voice Mail (4 Ports). I did not find any mailboxes that had the extension changed to an external number or speed dial. I was also not able to find any phones that were forwarded externally.

I am more interested in how it was done, since I know how to fix it. Any help would be appreciated.

The voicemail system is the most common place hackers will use for toll fraud. They may not have set the entire number in the extension field. I would look again for an extension something like 901. The 9 in the extension field will grab an outside line. Also double check your DIDs to make sure that you don't have DISA enabled on a number.

Typically I see hackers getting into the admin mailbox with the default code through the phone rather then using software.

It's good practice to enable destination restrictions for the voicemail extensions . With the IPEdge voicemail system the hackers will login to any user's voicemail box and use the follow-me feature.

Do they have a toll free numbers associated with the PRI? Typically hackers only want to come in on a toll free numbers. You should always secure the password on mailbox 999, get rid of or change mailbox 993 to another mailbox that can access the voice mails internal modem. You might even consider removing the CIX internal modem. There are many ways to access the outgoing trunks.
If it was truly hacked those would of been international calls made that they don't recognize making and the carrier should adjust the bill for them.