Can you confirm that there are no untrust to untrust policies?
This is another vector that can be used if there right vip/dip/mip are configured.
Were you able to confirm that the untrust interface does not have vip/dip/mip configured?
this message makes me think you do have some kind of forwarding configured that may be used by this external threat. If you are not publishing a server to the internet these should be removed.
"Dst IP session limit!"
The"IP spoofing! From" alert indicates the firewall knows the addresses are being forged and the attack is more on the DoS side than a compromise attempt.
Once all possible policy and nat forwarding methods are off, there is no way the traffic from the untrust side would be forwarded to your internal network.
By an internal attack, what I meant was a computer on your internal network has been hacked and is now a platform for external agents to use for lateral internal movement. Have a close look at computers connected to the network that are left on overnight for indicators of being compromised.