Ransomware Risks for Microsoft 365


With the rise in remote workers the risk of ransomware is higher than it has ever been before. By now most people know that ransomware is a type of malware extortion scheme that typically encrypts files and folders preventing access to critical data or sometimes it can also be used to steal sensitive data.

After the attack there is a demand for money – usually in the form of Bitcoin – in exchange for the decryption keys or the promise not to release sensitive data. The threat of ransomware attacks continues to grow as exploits like Ransomware-as-a-Service (RaaS), which first emerged in 2016, gain in hacker popularity and enable a greater scale and easier proliferation of ransomware attacks.

Most ransomware attacks are focused on on-premises implementations. However, the threat of ransomware isn’t just limited to local devices. Cloud data like the data used by Microsoft 365 can also be at risk and it can be susceptible to data corruption. Let’s take a closer look at how ransomware can impact Microsoft 365.

Microsoft 365 data types and vulnerabilities

As Microsoft 365 is collection of different programs like Word, Excel, OneDrive, and Teams it actually uses a number of different documents and data types.

  • Exchange Online – Email messages and attachments
  • SharePoint Online – Shared documents and web pages
  • OneDrive – User files
  • Teams Chats – Chat text and Teams channel messages

Even though this data is typically stored in the cloud, all these data types can be potentially corrupted by ransomware. Ransomware can gain access to Microsoft 365 data in the cloud through a OneDrive synced connection or a mapped drive to a SharePoint Online library.

Sponsored: Afi.ai provides a modern solution for backing up Office 365 including full Teams support, SharePoint and OneDrive file metadata and sharing permissions, and many other advanced and modern features.

Microsoft 365’s ransomware protection

Microsoft 365 is one of today’s most popular cloud applications. Since it’s a cloud application, many users believe that Office 365 data doesn’t need any protection. A common misperception is that Microsoft will protect all your data. While Microsoft does offer a number of different types of protection from ransomware and malware it’s important to know that the customer is actually responsible for their own data.

Microsoft 365 Ransomware Risks
Microsoft 365 Ransomware Risks

A ransomware attack typically begins with a user opening an infected file or malware link on a local system which then infects local files. After the user’s local files are infected, they’re then synchronized to the cloud by the Microsoft 365 client sync tool.

Microsoft 365 has several different technologies that are designed to protect your data:

  • Anti-Virus (AV) scanning is a part of all Microsoft 365 plans. Exchange Online Protection scans emails and detects phishing and infected messages. SharePoint and OneDrive also have an anti-malware engine that scans suspicious files and deletes or blocks them if malware is detected.
  • Versioning is a part of SharePoint and OneDrive for all Microsoft 365 versions. And by default, it retains a minimum of 500 versions of a file.
  • The Recycle bin allows you to undelete Exchange Online, SharePoint sites, and OneDrive items within 93 days. In addition, the second-stage recycle bin also stores deleted items for another 93 days or until you delete the items out of the second stage recycle bin.
  • Sandboxing is available with the extra add-on product Defender for Office 365. Defender for Office 365 monitors files for suspicious actions in a safe sandboxed environment to protect against unknown zero-day threats.

The AV scanning helps to protect against email phishing exploits, which are often how ransomware attacks get started. It can also help to reduce the spread of ransomware by blocking known malware. The versioning capabilities can help you recover from a ransomware attack.

However, as it works on an individual file basis, it tends to be too cumbersome to reverse large-scale encryptions. Microsoft actually recommends that you roll back entire document libraries and OneDrive to some specific point in time within the last 30 days. While this can eliminate corrupted or encrypted files it can also result in significant data loss.

If ransomware deletes the original file, then the Recycle Bin can be useful for restoring them within 93 days. Microsoft Defender for Office 365 provides stronger protection by sandboxing and monitoring files for suspicious behavior. However, it is not included in the base Microsoft 365 packages, and you have purchase it separately.

Microsoft 365 data protection strategies

According to FBI data, the number of ransomware cases grew at 66% from 2019-2020. While historically most ransomware attacks have been directed toward on-premise infrastructure, the popularity of Microsoft 365 and other cloud offerings make it a mark that cybercriminals and hackers will certainly target more in the future.

There are signs this trend has already begun. This past October 2021, Microsoft reported that 250 Office 365 customers in the US and Israeli defense technology sector had been targeted with password-spraying attacks. In this type of attack hackers attempt to access accounts using common passwords.

The saying goes that prevention is the best cure and that’s true for ransomware attacks too. Some of the best ways that you can plan to protect your Microsoft 365 data from ransomware and other malware attack include:

  • Implementing Two-Factor Authentication to strengthen access requirements, lessening the chance of being hit by ransomware or malware.
  • Backing up your Microsoft 365 data. Cloud data is your responsibility and Gartner Research has recommended that organizations using Office 365 implement some type of third-party backup and data protection mechanism. Backup definitely increases your ability to recover from a ransomware attack.
  • Making sure you use air gapped cloud backup storage. Some types of ransomware have been known to explicitly target backups. Keeping a copy of your backups on a completely separate storage location or region that’s not directly connected to your live data can help ensure the integrity of your backups.
  • User education is also one of the best ways to prevent attacks the first place. Unknowingly opening infected email attachments or other links is the primary avenue to introduce ransomware into the organization. Training users how to identify and avoid phishing and bad email links can stop ransomware from ever gaining a foothold.

In the end, Microsoft 365 data protection is the customer’s responsibility. Taking advantage of the Microsoft supplied data protection tools, as well as implementing your own data protection procedures, can help keep your Microsoft 365 data free from ransomware as well as to help you to recover from a ransomware attack.

For more information on how to protect data in Microsoft 365, read Can Ransomware Hit Your Microsoft 365 Data?