I’m focusing on this exploit because it’s the current one in the wild. You’re right that other exploits will appear. It’s the nature of the thing.

Focusing on this specific exploit needing authentication is rather short sighted. Last year’s critical Exchange vulnerability, ProxyShell, did not need authentication. And there will likely be future ones that won’t either.

We already researched and implemented the change and have had zero issues.

Basically, as long as you have all of your mailboxes on Exchange Online and autodiscover DNS record pointing to autodiscover.outlook.com, all you need to allow is port 25 and 443 (just in case of mailbox moves) from Exchange Online to your on-prem Exchange servers.

Now our on-prem Exchnage servers are much better protected from future zero days and unknown vulnerabilities and exploits out there on the internet.

I’d be cautious about this approach and certainly wouldn’t implement it without thorough testing. The point about these vulnerabilities is that they depend on an attacker gaining authenticated access to a server. At that point, your organization probably has other worries to deal with…