Original poster said on premise. An appropriately secured vpn may or may not help security, but it is still "virtual" and does not meet the definition of on premise.

The VPN credentials could be phished. Of course appropriately-secured might mean U2F, in which case it likely would have prevented the attack. But they also could have used U2F without a VPN, and that also would have likely prevented the attack. So the VPN isn't really a benefit.