Office 365 Ransomware ProtectionOffice 365 Ransomware Protection
Reading Time: 6 minutes

Ransomware attacks are becoming increasingly common and pose a significant threat to organizations using cloud-based solutions like Office 365. Ransomware encrypts an organization’s data, making it inaccessible, and demands a ransom payment to regain access. Protecting against and recovering from ransomware attacks is essential to maintain the integrity and accessibility of an organization’s data.

Ransomware is a major threat to modern businesses, capable of compromising all types of data, including Microsoft 365 files. In 2020, there were over 304 million ransomware attacks worldwide with an average ransom payment of $812,360. As the infiltration methods become more advanced, it’s crucial to have effective protection in place.

Microsoft offers various ransomware protection tools as part of its Shared Responsibility Model, but it’s up to the organization using Office 365 to configure them and use additional third-party tools to ensure data recoverability. This article highlights the built-in Microsoft Office 365 ransomware protection and recovery features that allow you to secure your environment and restore your data in case of an attack.

Built-in Office 365 Ransomware Defense

Microsoft subscriptions come equipped with various in-house options for protecting your tenant and reducing the risk of security incidents. Utilizing the tools available in Exchange Online Protection (EOP) and Microsoft Defender, you can identify, track, and prevent attacks before they spread throughout your network.

It’s important to note that while Microsoft’s ransomware protection features provide a level of security, they have limitations and do not offer full protection, particularly against user-initiated malware.

Microsoft 365 Defender

Microsoft 365 Defender is a security solution that provides advanced threat protection for Microsoft 365 users. It integrates various security tools such as Exchange Online Protection (EOP), Windows Defender Antivirus, and Azure Advanced Threat Protection (ATP) to provide a comprehensive defense against threats such as phishing, malware, and ransomware. Microsoft 365 Defender also includes threat intelligence and investigations capabilities, allowing administrators to quickly respond to and remediate security incidents.

  • Threat investigation and response in Microsoft 365

Threat investigation and response is a suite of tools that assist administrators in monitoring their environment and collecting information on potential security threats. Data is gathered from various sources such as infected computers, past incidents, user activity, and more. Response actions are then taken to address risks in OneDrive for Business, SharePoint Online, Exchange Online, and Microsoft Teams.

  • Anti-phishing protection

Phishing attacks, a form of social engineering, are a common method for ransomware infections. Microsoft Defender for Office 365 uses advanced algorithms and tools to detect and prevent phishing attacks from compromising Office 365 data. Some of these tools include:

    • Spoof intelligence: Detect and automatically block spoofed senders in internal or external domain messages. Admins can also manually allow or block identified senders in the Tenant Allow/Block List.
    • Anti-phishing policies: Set up impersonation protection, mailbox intelligence, and advanced phishing thresholds, and specify actions for blocked spoofed senders.
    • Implicit email authentication: Check inbound email for forged senders using sender reputation, sender history, and behavioral analysis.
    • Campaign views: Detect and analyze messages involved in coordinated phishing campaigns.
    • Attack simulation training: Admins can create fake phishing messages to test users’ preparedness and conduct ransomware awareness training.
  • Anti-malware protection

Exchange Online Protection (EOP) has multi-layered malware protection to detect incoming and outgoing malware, including viruses, spyware, and ransomware. Features include:

    • Layered defenses against malware: Anti-malware scan engines protect against known and unknown threats, providing Office 365 ransomware protection from early stages of an outbreak.
    • Real-time threat response: Admins can gather information about a virus or malware to create specific policy rules and publish them across the network.
    • Fast anti-malware definition deployment: Anti-malware engines are constantly updated with new patches and malware definitions.
  • Controlled folder access

By enabling real-time protection in Microsoft Defender Antivirus, you can use Controlled folder access to protect Office 365 files from malicious apps and ransomware. This feature checks apps against a list of known apps and only allows trusted apps to access protected folders. In case of malicious activity, a notification is sent with the app that attempted to make unwanted changes to the protected document.

  • Microsoft Defender for Cloud Apps

The move to the cloud introduces new security risks that can threaten your data during storage or transfer. Microsoft Defender for Cloud Apps offers advanced control, visibility, and cyberthreat detection for Microsoft and third-party cloud services in Microsoft Enterprise plans. Features include:

    • Discovery and control of Shadow IT: Identify and investigate cloud apps and services used by the organization, assess business readiness against multiple risks.
    • Protection of sensitive information in the cloud: Control and protect sensitive data in real-time across all cloud apps with policies and automated processes.
    • Deter cyberthreats and anomalies: Detect unusual behavior, ransomware, compromised computers, and malicious applications. Analyze high-risk usage patterns and automatically remediate threats.
    • Assess cloud app compliance: Ensure that applications meet regulatory compliance and industry standards.
  • Microsoft Defender SmartScreen

Microsoft Defender SmartScreen offers protection against malware or phishing files and websites. Potentially malicious files are automatically blocked, and users are notified. Visited websites are checked against a list of reported phishing and malicious sites, while downloaded apps or installers are checked against a list of reported unsafe programs.

Microsoft Purview Information Protection

Microsoft Purview Information Protection offers features that help safeguard sensitive data against ransomware attacks and ensure proper data governance.

DLP policies help prevent sensitive data from being shared with unauthorized individuals and reduce the risk of data loss. DLP also monitors user activities with sensitive data and can move and secure them in a quarantine location to stop ransomware infections.

  • Sensitivity Labels

By applying sensitivity labels to sensitive emails and documents, you can protect the data from ransom threats. You can also mark the content as sensitive or encrypt it to ensure only authorized users can access it.

  • Additional Office 365 Ransomware Protection

Microsoft offers additional tools for protecting against ransomware, including:

    • Exchange Email Settings: By configuring Exchange email settings, you can reduce the risk of email-based ransomware attacks.
    • Multi-Factor Authentication: Enabling multi-factor authentication in Office 365 adds an extra layer of protection to the login process and reduces the chance of compromised credentials.
    • Microsoft Secure Score: This tool continuously assesses your organization’s security posture and provides recommendations for improving protection.
    • Attack Surface Reduction Rules: By configuring these rules, you can reduce vulnerabilities to cyber attacks and block suspicious activities before they spread across the network.

Microsoft Ransomware Recovery Strategies

In the event of a successful ransomware attack, it is important to take immediate action to prevent further spread of the infection. This includes stopping OneDrive sync on all connected devices and disconnecting infected devices from the network. If done quickly enough, there may still be unencrypted copies of the infected files stored elsewhere.


When enabled, versioning in SharePoint Online, Exchange Online and OneDrive for Business saves multiple versions of a document, with a default limit of 500 versions, though this limit can be increased to 50,000. If an attack occurs, you can revert to a previous version of the document and restore it. However, it’s important to note that versioning does not offer complete protection against ransomware, as some infections may encrypt all versions of a document.

Recycle Bin

In some cases, ransomware may delete the original file and create a new encrypted version in its place. In such scenarios, the recycle bin can be used to restore the deleted files within 93 days. After that period, you have a 14-day window to request data recovery from Microsoft support, after which the data is permanently deleted.

Compliance Retention Policies

Retention policies in Office 365 can be set to define the length of time files and documents are preserved. This allows you to determine what data can be deleted and when. These policies can be automated for specific content types with retention rules. Note that compliance retention policies are only available for Microsoft 365 E5, A5, and G5 subscription plans.

Preservation Hold Library

By applying retention settings, data synced to OneDrive or SharePoint can be stored in the Preservation Hold Library for a specified amount of time. The In-Place Hold feature ensures that a copy remains unchanged and protected from ransomware. After an attack, users can access the library and export the necessary files.

Third-Party Backup Solutions

While Microsoft does not back up Office 365 data, it does offer retention policies for Exchange Online, SharePoint Online, and OneDrive for Business in term of Office 365 ransomware protection. Third-party backup solutions for SaaS offer more comprehensive protection for your data, storing it in secure repositories for quick recovery in case of a cyber breach.


Office 365 provides robust ransomware protection and recovery options to help organizations mitigate the risk of data loss in the event of a ransomware attack. By utilizing the built-in security features and recovery options, organizations can minimize the impact of ransomware attacks and maintain the accessibility of their data. To further enhance the security of their data, organizations should also implement best practices such as regularly backing up their data, restricting user access to sensitive data, and providing user awareness training.

You cannot copy content of this page