- Anonymous is needed because the messages sent from external mail servers to your mail server are not authenticated. If you disable that, then no one externally can send messages to your mail server.
- If you want to receive mail directly from the internet to the your Exchange server, you have to allow anonymous for all connections, otherwise you would need to set you mx record to a 3rd party or Edge Server that receives mail from the internet , then set the receive connect on Exchange to only receive mail from that Edge server
- You combat phishing with quality 3rd party anti-spam/anti-malware. You can use a transport rule but thats not the best way to do that
If you are in hybrid, then the recommendation is that allow mail go inbound and outbound through Office 365 and you do not not allow any direct access to the Exchange Server except from Exchange Online. You can control this with firewall rules
https://video2.skills-academy.com/en-us/exchange/transport-routing