Attack on WebAdmin

Today I received email notifications from the firewall stating that there had been two failed login attempts to WebAdmin.
I have never seen this previously, other than when I have screwed up and entered the wrong password myself.

There is a single entry in the firewall rules that allows TCP 4444 access to WebAdmin login page from the Internal Network. No other rules include this service port.
A check of the reported IP address that attempted the login gives a location of Morocco, which I am pretty sure is not included in my internal network.

Can anyone explain how someone outside my internal network could access my WebAdmin login page?

UTM Release 9.705-3