Many AD accounts lockup, and growing

Over the past 8 days or so we have started seeing a huge increase in Active Directory account lockouts across our domain of about 700 users. We have seen it go from about 10 account locks per day, to over 60 locks today.

We are really struggling to find the root cause. We are following most of the usual account lock guidance, ie: EventComb, LockoutStatus, ADAuditPlus, check for Event ID 4740 on the DCs and check the calling computer. Well the calling computer is almost always our authenticating Internet Proxy server. We have already tried clearing Credential Manager, but the problem returns for these users.

The frustrating part is that we only see the 4740 event (account has been locked), but we don't see any preceding 4625 events (bad password) on the DC or client. Yes, I think we have all auditing enabled on the DCs. Without this evidence, we can't tell for sure which computer is sending the bad passwords to AD. I suspect the 4740 from the Proxy Server is just a symptom of the root problem, and some other service is actually sending the bad passwords, and then the Proxy finally just runs into the locked account and creates the 4740 on the DC.

I also wonder if it is some Kerberos problem, but I can't really find any useful event IDs for this theory either.

Does anybody have any advice on this?