So reading that it was OWA (Outlook Web Access) that was the flaw. I know my company ditched that years ago citing security concerns. It's probably the small organizations that have the issues the most, but then you get into what could have been done. Centralize more? Ugh I hope not.

I guess they could use something other than MS, but I used to contract with small businesses in this very type thing, and since most of those places are not tech savvy, already Windows-heavy, and often concerned about cost, MS servers just make sense. Sure the software isn't free, but it's a hell of a lot easier to set up the way they want, since it plays nice with Windows and Outlook by default. Which means less time spent and therefore less cost. The companies I worked with were too small for their own IT employee and paid me to come in at an hourly rate.

I've been dealing with this. There are 4 different exploits that when combined can give Chinese hackers access to your system. A lot of it would be manual work but the problem is that once the server is exploited it could allow access for some time to come and that could lead to full network access.

There's a script you can use to check your server here: https://github.com/microsoft/CSS-Exchange/tree/main/Security

If you can't update to the latest CU and patch then your best option is to disable access to 80/443 from outside of your network till you can. Your only hurdle is management stopping you because "they need email on there phones".