Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Ransomware Risks for Microsoft 365

With the rise in remote workers the risk of ransomware is higher than it has ever been before. By now most people know that ransomware is a type of malware extortion scheme that typically encrypts files and folders preventing access to critical data or sometimes it can also be used to steal sensitive data.

After the attack there is a demand for money – usually in the form of Bitcoin – in exchange for the decryption keys or the promise not to release sensitive data. The threat of ransomware attacks continues to grow as exploits like Ransomware-as-a-Service (RaaS), which first emerged in 2016, gain in hacker popularity and enable a greater scale and easier proliferation of ransomware attacks.

Most ransomware attacks are focused on on-premises implementations. However, the threat of ransomware isn’t just limited to local devices. Cloud data like the data used by Microsoft 365 can also be at risk and it can be susceptible to data corruption. Let’s take a closer look at how ransomware can impact Microsoft 365.

Microsoft 365 data types and vulnerabilities

As Microsoft 365 is collection of different programs like Word, Excel, OneDrive, and Teams it actually uses a number of different documents and data types.

Exchange Online – Email messages and attachments
SharePoint Online – Shared documents and web pages
OneDrive – User files
Teams Chats – Chat text and Teams channel messages

Even though this data is typically stored in the cloud, all these data types can be potentially corrupted by ransomware. Ransomware can gain access to Microsoft 365 data in the cloud through a OneDrive synced connection or a mapped drive to a SharePoint Online library.

Sponsored: Afi.ai provides a modern solution for backing up Office 365 including full Teams support, SharePoint and OneDrive file metadata and sharing permissions, and many other advanced and modern features.

Microsoft 365’s ransomware protection

Microsoft 365 is one of today’s most popular cloud applications. Since it’s a cloud application, many users believe that Office 365 data doesn’t need any protection. A common misperception is that Microsoft will protect all your data. While Microsoft does offer a number of different types of protection from ransomware and malware it’s important to know that the customer is actually responsible for their own data.

A ransomware attack typically begins with a user opening an infected file or malware link on a local system which then infects local files. After the user’s local files are infected, they’re then synchronized to the cloud by the Microsoft 365 client sync tool.

Microsoft 365 has several different technologies that are designed to protect your data:

Anti-Virus (AV) scanning is a part of all Microsoft 365 plans. Exchange Online Protection scans emails and detects phishing and infected messages. SharePoint and OneDrive also have an anti-malware engine that scans suspicious files and deletes or blocks them if malware is detected.
Versioning is a part of SharePoint and OneDrive for all Microsoft 365 versions. And by default, it retains a minimum of 500 versions of a file.
The Recycle bin allows you to undelete Exchange Online, SharePoint sites, and OneDrive items within 93 days. In addition, the second-stage recycle bin also stores deleted items for another 93 days or until you delete the items out of the second stage recycle bin.
Sandboxing is available with the extra add-on product Defender for Office 365. Defender for Office 365 monitors files for suspicious actions in a safe sandboxed environment to protect against unknown zero-day threats.

The AV scanning helps to protect against email phishing exploits, which are often how ransomware attacks get started. It can also help to reduce the spread of ransomware by blocking known malware. The versioning capabilities can help you recover from a ransomware attack.

However, as it works on an individual file basis, it tends to be too cumbersome to reverse large-scale encryptions. Microsoft actually recommends that you roll back entire document libraries and OneDrive to some specific point in time within the last 30 days. While this can eliminate corrupted or encrypted files it can also result in significant data loss.

If ransomware deletes the original file, then the Recycle Bin can be useful for restoring them within 93 days. Microsoft Defender for Office 365 provides stronger protection by sandboxing and monitoring files for suspicious behavior. However, it is not included in the base Microsoft 365 packages, and you have purchase it separately.

Microsoft 365 data protection strategies

According to FBI data, the number of ransomware cases grew at 66% from 2019-2020. While historically most ransomware attacks have been directed toward on-premise infrastructure, the popularity of Microsoft 365 and other cloud offerings make it a mark that cybercriminals and hackers will certainly target more in the future.

There are signs this trend has already begun. This past October 2021, Microsoft reported that 250 Office 365 customers in the US and Israeli defense technology sector had been targeted with password-spraying attacks. In this type of attack hackers attempt to access accounts using common passwords.

The saying goes that prevention is the best cure and that’s true for ransomware attacks too. Some of the best ways that you can plan to protect your Microsoft 365 data from ransomware and other malware attack include:

Implementing Two-Factor Authentication to strengthen access requirements, lessening the chance of being hit by ransomware or malware.
Backing up your Microsoft 365 data. Cloud data is your responsibility and Gartner Research has recommended that organizations using Office 365 implement some type of third-party backup and data protection mechanism. Backup definitely increases your ability to recover from a ransomware attack.
Making sure you use air gapped cloud backup storage. Some types of ransomware have been known to explicitly target backups. Keeping a copy of your backups on a completely separate storage location or region that’s not directly connected to your live data can help ensure the integrity of your backups.
User education is also one of the best ways to prevent attacks the first place. Unknowingly opening infected email attachments or other links is the primary avenue to introduce ransomware into the organization. Training users how to identify and avoid phishing and bad email links can stop ransomware from ever gaining a foothold.

In the end, Microsoft 365 data protection is the customer’s responsibility. Taking advantage of the Microsoft supplied data protection tools, as well as implementing your own data protection procedures, can help keep your Microsoft 365 data free from ransomware as well as to help you to recover from a ransomware attack.

For more information on how to protect data in Microsoft 365, read Can Ransomware Hit Your Microsoft 365 Data?

Table of contents

by Michael Otey
Last Update: Apr 17, 2024
Oct 26, 2021

Michael Otey is president of TECA, a technical content production, consulting and software development company in Portland, Ore. Michael is a former SQL Server MVP and was Senior Technical Director for Windows IT Pro and SQL Server Pro. He covers the...

Microsoft and AI: What Is the Copilot Semantic Index and How Does It Work?

Feb 6, 2024
Mar 21, 2024
How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023
Nested Microsoft 365 Groups: What You Need to Know

Jul 12, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.