Keep in mind, there's actual air-gapping, and there's secure enclaves. This specific attack would have no teeth if your Exchange server / OWA endpoint were only accessible from corporate VPN. You don't have to be one of the top-ten biggest corporations to run a global-scale intranet with off-the-shelf VPN servers, and it still greatly reduces your attack surface.
