Right. You are responsible for the security of your setup.
Also, Voip.MS has a feature to enable or disable outbound calls to every single country or group of countries. (CallCentric were the originators of this).
I enable to US, Canada, and iNum calls, and block all others.
That would have protected you.