Exchange Online|Exchange Server|Office|Office 365

Is Exchange Online Threatened by Ransomware?

The question of whether ransomware could infect and encrypt an Exchange Online mailbox raised by Michael Van Horenbeeck is fair. Although no reports exist of such an infection, the tools are there and, no doubt, someone is willing to try such an attack.

Vendors of cloud backup solutions like to raise this point with potential customers. They argue that Microsoft’s strategy of using Native Data Protection to avoid the need for backups of Exchange Online mailboxes is insufficient in a world where deliberate acts of malfeasance, such as ransomware attacks, are well known.

Files Restore

The existence of ransomware is one of the reasons why Microsoft introduced the Files Restore feature for OneDrive and SharePoint. This feature depends on versions of documents being available to allow recovery to a selected point in time. The versions of Word, Excel, and PowerPoint used with Office 365 support automatic versioning (“AutoSave”) to ensure that versions are available for recovery.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Attacking Exchange Online

Exchange is not SharePoint, or so I am told (the two products once shared the same database engine). A ransomware attack against a OneDrive for Business account or SharePoint document library could potentially lead to infection across an entire tenant, depending on factors such as the type of attack, how it spreads, and the sharing behavior of users. Advanced Threat Protection (ATP) for SharePoint can detect and suppress sharing of infected files, but perhaps only after some harm is done. However, assuming good versions of documents exist, the Files Restore feature allows users to recover their own files. If not, Microsoft can recover complete site collections from backup. A restore overwrites everything in the site collection, so it’s not a great solution.

An attack against Exchange could spread even faster if someone was to email malware to large segments of the organization. Exchange’s anti-malware defenses are likely to catch and disinfect most attempts to distribute bogus applications via email in real time. The kind of attack on Office 365 described in 2018 by Kevin Mitnick features an app delivered to an inbox. At this point you’d hope that most people are wise enough to realize that unknown applications that appear in the inbox should be treated with the utmost suspicion. Alas, this user is (insert favorite descriptor) silly enough to overlook the obvious clues (Figure 1) that the application shouldn’t be trusted and go ahead to allow it access to their mailbox.

Three hints that an app might not be what it seems
Figure 1: Three hints that an app might not be what it seems (image credit: Tony Redmond)

Arriving by email is a natural attack vector against Exchange Online. It’s possible that an application could gain access another way, like a direct attack against the user account (a good reason to use MFA everywhere) or malware shared in a document,

Once an application has access, the malware can encrypt messages as quickly as it can fetch items from the user’s mailbox. The app worked reasonably quickly with what seemed to be a set of draft messages in the demo mailbox; it’s entirely possible that it might not do quite so well with a large mailbox containing hundreds of thousands of items. In any case, the damage was done, and the encrypted items required a Bitcoin payment before they can be decrypted.

Lagged Database Doesn’t Help

The form of Native Data Protection used by Exchange Online includes a lagged copy of each mailbox database. It is technically possible for Microsoft to restore a mailbox from the lagged copy any time within seven days of the current time. A tenant administrator can’t do this because they have no way to mount the lagged copy and recover the data to the target mailbox like they can with an on-premises database. For their own good reasons, Microsoft doesn’t offer such a recovery service, possibly because they have not built an automated process to recover a mailbox from the lagged database. Automation is a sine que non for high-touch operations within Office 365.

Do Third-Party Backups Help?

So, is a third-party cloud backup the only viable solution if your tenant was unlucky enough to be attacked, the malware gets through to a mailbox, and the owner of the mailbox unwise enough to allow the malware free rein over their data? You’d have to be very unlucky for all the pieces to allow a successful attack to click into place, but it could.

Backup vendors can recover a mailbox to a point in time before the attack happens. If a vendor cannot, then you should lose any interest you might have in their services. But even if a recovery is possible, it will take time. In fact, given the swelling size of many Exchange Online mailboxes these days, it’s an interesting exercise to see just how long a recovery operation takes.

But as I have advocated in the past, before rushing to invest in an add-on cloud backup service to guard against a threat that is of marginal probability, think about what you could do with out-of-the-box functionality that you’re already paying for.

Recovery Through Held Items

For example, mailboxes on litigation hold are protected because any change to a mailbox item caused by malware encrypting the content or an item’s properties will force Exchange to capture a copy of the item before the change (copy on write). The same is done for holds placed on mailboxes by Office 365 eDiscovery cases.

In effect, the copies in the Recoverable Items structure are a get out of jail card because you can run a content search to find all the items in the mailbox and export the results to one or more PSTs. The PSTs will include the bad (encrypted) items, but also include the good (pre-encryption) copies.

Recovery is a matter of deleting the bad items from the online mailbox and copying the good items back. Remember to take the mailbox off hold before deleting the bad items from it as you don’t want Exchange to copy those items. This is not a fast way to restore a mailbox to good health. It’s also a manual, tiresome process that might involve using Outlook desktop to move tens of thousands of items from PST to mailbox.

Litigation hold is not designed to protect against ransomware and content search exports aren’t there to recover infected mailboxes. But the process works and uses tools built into Exchange. Nothing else is needed to restore the infected mailbox.

Protecting Items with Office 365 Encryption

Another thing you can do is use Office 365 Message Encryption (OME) and Office 365 Sensitivity Labels to protect important messages. All Office 365 tenants with E3 licenses (or above) can use inbuilt encryption for email, and if a message is already encrypted, I doubt that malware could update its content unless the app can gain superuser permission. Although content (including attachments) is safe, malware will be able to interfere with a message’s properties like its subject because this data is not encrypted.

Again, this is functionality readily available to Exchange Online users, if tenants take the time to educate people about how to use encryption effectively.

Possibility Exists, but Likelihood is Small

Don’t get me wrong. I do not underestimate threat and I do not underestimate the fearsome intellect that some attackers exert when coming up with new and innovative ways to penetrate systems to steal or compromise data. It is entirely possible that someone could build and execute a ransomware attack against Exchange Online. But the likelihood of success is very small, unless your anti-malware defenses are weak, and users like to dabble with the dark art of trusting unknown applications.

Given that Microsoft has the Files Restore feature for OneDrive and SharePoint, it’s reasonable to ask if they could do the same for Exchange. The lagged database copy is the obvious place to look because it will work for every mailbox, including those not on hold. Maybe Microsoft will do something in this area in the future. Until then:

  1. Use MFA to protect user accounts to reduce the chance that a direct attack against Office 365 accounts will succeed.
  2. If you’re concerned about the possibility of ransomware attacks against Exchange Online mailboxes, consider placing sensitive mailboxes on litigation hold. Many sensitive mailboxes are already on hold for one reason or another, so this isn’t a big step.
  3. Consider using Office 365 Message Encryption and Office 365 Sensitivity Labels to protect important email. Using these features requires user education. Encryption is not something to launch on a whim.
  4. Educate users to treat every application that asks for access to their mailbox with great suspicion. You never know when malware will penetrate your anti-malware defenses.

Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (4)

4 responses to “Is Exchange Online Threatened by Ransomware?”

    • <blockquote><em><a href="#16403">In reply to iski4kix:</a></em></blockquote><p>a) because a cloud backup solution is an added cost.</p><p>b) because a cloud backup solution introduces extra complexity into operations.</p><p>c) because you can recover from these attacks with built-in Exchange Online functionality.</p><p><br></p><p>By all means, use cloud backup solutions if you have good and verifiable reasons to do so, but don't use them just to offset this kind of attack unless you're sure that a cloud backup is the only remedy.</p>

      • <blockquote><em><a href="#16408">In reply to Tony-Redmond:</a></em></blockquote><p>Hi Tony,</p><p><br></p><p>If malware/ransomware attacks files that are hardly used (80% of the data is no longer worked on in almost all companies), it most likely will not be noticed. So lets assume the following;</p><p><br></p><p>Ransomware enters the infrastructure, attacks 'old' files and takes it easy with encrypting the files in order to avoid getting noticed. Soon the 93 retention days (in Sharepoint) are over, and the attack is successful. How do you restore in that case ? Remember that deleting the original will also delete all the versions that are created.</p><p><br></p><p>Besides, its not only attacks from malware/ransomware that you want to protect yourself from. The vast majority of files that get deleted are done by users (intentionally or not) and quite often they will notify the service desk after a long while.</p><p><br></p><p>Also the lagged database : "<span style="color: rgb(102, 102, 102);">The lagged database copy is not intended for individual mailbox recovery or mailbox item recovery. Its purpose is to provide a recovery mechanism for the rare event of systemwide, catastrophic logical corruption." </span></p><p><br></p><p>Looking at all the possible options that Microsoft offers and considering what can go wrong, I would feel a whole lot more comfortable by having a good backup solution.</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.