Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue.
Interesting analysis. Is it possible that the algo for the OTP is "known" ? So the attacker would simply have to know what the next OTP password is once it's been submitted?