Not only exchange accounts, anything critical should be using 2FA and cell phone text messages is a very poor second factor. Unfortunately, this is commonly used but is easy to get around using social engineering.