Juraj, we were definitely hacked, as you mentioned. Nothing was showing up in the event logs, we had to go into the IIS logs to see that nonexistent directories were being hit and returning 200 to know something was amiss. These directories consisted of subfolders with one-word names and randomized HTML files within.
The one-word names were causing a redirect to a malicious site for any URL that contained them. For example, if our site had the word "win" anywhere in the URL, even if you tacked on the word to create what should have been a nonexistent URL generating a 404, it redirected. We've since mitigated the redirects but are still dealing with the source.