All my searches lead to dead ends. Like https://serverfault.com/questions/643616/best-way-to-trace-outgoing-requests-from-a-server and https://www.reddit.com/r/sysadmin/comments/384q3b/my_server_was_just_suspended_because_of_a/ .
@sp121 do you have a cloud firewall ? One recommendation is to stop all outbound traffic altogether. Most apps don't need to make outbound requests anyway. Slowly start whitelisting outbound traffic. Is this an option?