A bit late to this party, but...
I'll bet there was no record of the incoming call in your pbx, is that right? I've encountered this a number of times. Inbound calls from some extension that didn't even exist on the pbx- and there was no evidence of the call coming through the PBX. Instead, the call was placed directly to one of our Polycom telephones, via port 5060.
You could possibly create a rule in your firewall, white-listing your pbx with the appropriate ports. Or, you could change from the default SIP port and use something more obscure.
In our case, the solution was to add a bit of code to the phone's configuration (via a firmware edit,) such that the phone would only respond to traffic from the PBX.
Code:
<voIpProt.server voIpProt.server.1.address="yourpbx.com" voIpProt.server.1.port="5060" />
<voIpProt.SIP voIpProt.SIP.enable="1">
<voIpProt.SIP.outboundProxy voIpProt.SIP.outboundProxy.address="" />
<voIpProt.SIP.requestValidation voIpProt.SIP.requestValidation.1.method="source" voIpProt.SIP.requestValidation.1.request="INVITE" />