Exploitable?
If you want to test if your exchange server is vulnerable edit this. If you see an auth window you are. If you get denied you are not.
https://owa.contoso.com/Autodiscover/autodiscover.json@PowerShell
To mitigate it you can follow these steps
Import-Module WebAdministration
Invoke-WebRequest -UseBasicParsing -Uri 'https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite\_amd64\_en-US.msi' -OutFile "$env:windir\temp\rewrite.msi"
Start-Process -FilePath "$env:windir\system32\msiexec.exe" -ArgumentList '/i', "$env:windir\temp\rewrite.msi", '/qn'
Start-Sleep -Seconds 15
$name = 'Block AutoDiscover 0-Day'
$inbound = '.*autodiscover\.json.*\@.*Powershell.*'
$site = 'IIS:\Sites\Default Web Site\Autodiscover'
$root = 'system.webServer/rewrite/rules'
$filter = "{0}/rule[@name='{1}']" -f $root, $name
Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patternSyntax = 'Regular Expressions'; stopProcessing = 'False' }
Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound
Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'type' -value 'CustomResponse'
Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'statusCode' -value 403
Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'statusReason' -value 'Forbidden'