Personally, I think you don't need to worry about it.
Firstly, we don't know the working mechanism and evaluation standard for the tool that you used.
Secondly, Exchange doesn't use the "https://autodiscover.domain.com", the autodiscover works with "https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml". If you still think the autodiscover record isn't safety, you can remove this record and use SRV record to replace it.
In fact, you can use many devices(Such as F5 or EOP) to filter client access requests to ensure the security of your Exchange server.
If you are still concerned about the security of your Exchange server, you could open a paid ticket to confirm with Microsoft products team.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.