How to Protect against Ransomware in Microsoft Office 365

| Updated on October 6, 2023

Office 365 ransomware protection is becoming the main concern for organizations worldwide. The rapid shift toward remote work and the growing use of cloud services have given cybercriminals greater opportunities to expand their activities across cloud-based platforms, including Microsoft Office 365, one of the leading office suites in the world.

This article will cover how ransomware infects Microsoft Office 365 data and what protection tools you can use to keep your data safe. 

How Ransomware Infects Office 365 Environments

Ransomware is a type of malware that encrypts your computer or IT environment until you pay a ransom. In 2020, 84% of organizations surveyed worldwide were either ransomware victims or believed that their business would suffer from an attack soon.

It is now established that ransomware can infect cloud-based Office 365 data either through device synchronization or direct cloud access. When a local device gets infected, the corrupted files are synchronized with OneDrive and SharePoint through the sync client tool. 

As for direct access, ransomware can’t break in without your permission. Here are three ways how criminals can trick you into permitting them to access your Office 365 environment:

  • Phishing. In 2020, 54% of ransomware attacks were caused by phishing emails with malicious documents attached or links to malicious websites. What’s more, Microsoft tops the list of the most imitated brands for phishing attacks. In the second quarter of 2021, 45% of all brand phishing attempts masqueraded as Microsoft to steal user credentials, personal and payment information.
  • Infected applications. Though Microsoft constantly scans AppSource for malware, there’s still a risk of installing an application that will infect your environment. Criminals can either use the vulnerabilities of the existing applications or create new applications that look and function like normal ones.
  • Insider threats. Your employees can work together with criminals from outside the company and grant them the necessary access permissions or even install malware. Alternatively, your employee can decide to become rich overnight and purchase a ransomware kit on the dark web. 

As criminals become craftier, identifying a ransomware attempt can be a hard task. For example, a phishing email can come in the form of a permission request that seemingly came from Microsoft but will encrypt your Exchange Online mailbox once you press the “Accept” button.

To ensure the safety of your cloud environment, you need a comprehensive Office 365 ransomware protection strategy. This strategy should include techniques to increase ransomware awareness as well as reliable tools for data protection and recovery. Let’s explore each component in detail.

Ransomware awareness

Since phishing emails are still the most common source of the ransomware, the vulnerability of your organization depends first and foremost on the ransomware awareness of employees. Employees should understand ransomware threats and know how to minimize them. Here are a few examples:

  • Employees need to know how to set secure passwords and regularly update them.
  • Employees need to be able to recognize suspicious emails and be careful with attachments and links.
  • When surfing the web, employees need to pay attention to the page URL and the padlock symbol.

Ransomware awareness shouldn’t be limited to employee training only. The Microsoft Shared Responsibility Model states that data protection, recovery, and access management fall under the user’s responsibility. This means that you need to be aware of the possible risks and vulnerabilities of your Office 365 environment.

Ensure regular updates of your system and devices. Usually, updates and patches fix bugs and security issues, improving your system’s resilience to ransomware attacks. Additionally, you can enhance native Microsoft ransomware protection with antivirus software that will regularly scan your environment for possible threats. 

Native Microsoft Ransomware Protection 

Microsoft provides a variety of data protection tools, including Exchange Online Protection (EOP), Microsoft Defender, and OneDrive ransomware protection for Office 365. Let’s take a closer look at each of them.

Exchange Online Protection (EOP)

Exchange Online Protection (EOP) is enabled by default. The tool allows you to filter inbound emails based on the sender’s reputation, domain and IP addresses, keywords, and Microsoft analysis algorithms. You can configure filtering policies and rules, create blocklists of senders, choose unwanted attachment types, and reject emails written in other languages.

Additionally, EOP filters outbound emails for spam. This protects the Office 365 community from spammers and prevents the use of corrupted accounts for spam attacks. 

Microsoft Defender

Microsoft Defender (also known as Advanced Threat Protection) allows users to detect and remediate malware and phishing emails. The feature is available only in the Office 365 E5 plan.

Unlike common antiviruses that can identify only the threats added to the antivirus database, Defender can protect against new unknown ransomware patterns. The tool monitors suspicious behavior and can filter incoming emails for malware and phishing attempts. 

Microsoft Defender protects users from two common phishing techniques:

  • Email or domain impersonation. An impersonated address looks similar to a real sender’s address, but they are not equal. For example, instead of or instead of 
  • Email spoofing. Criminals use spoofing to modify email headers so that a false address is displayed to a receiver. For example, will be displayed as 

The defender also enables mailbox intelligence to build a database around the user’s communication routine to keep track of new and suspicious senders.

OneDrive Ransomware Protection

Microsoft monitors your OneDrive data for ransomware in real-time and notifies you of suspicious files. In case of a ransomware attempt, you have 30 days to roll back your files to a previous, uninfected version. 

On the downside, ransomware can remove the version history together with the original file. There’s still a chance to restore the original file from the recycle bin, but a chance isn’t something you can solely rely on. The best option, in this case, is to have third-party backups that enable point-in-time recovery and allow you to roll back to the point of time before the attack occurred. 

Read here how a reliable backup solution can take your Office 365 ransomware protection to new heights.

Other Protection Tools

Microsoft allows you to limit permissions and unauthorized access with role-based access control and multi-factor authentication. In fact, multi-factor authentication can prevent a ransomware attempt even if the user opens a phishing email or link, so make sure that this feature is enabled.  

Another useful feature that you need to enable is auditing. Microsoft tracks events and records user and admin activities across Office 365 services to the audit log. Auditing was originally designed for compliance purposes, but you can use it to monitor suspicious activity and keep track of accesses, permissions, downloads, password changes, and more. 

As attacks become more sophisticated, Microsoft tools maybe not be enough to ensure Office 365 ransomware protection. In this case, recovery solutions come in handy. 

Office 365 Ransomware Recovery Solutions

Effective Office 365 protection against ransomware should include tools for data recovery to ensure business continuity when ransomware hits your environment. You can use Microsoft native recovery tools (versioning, retention policies and recycle bins) along with third-party backup solutions. Let’s take a look at each of them.


SharePoint allows you to save up to 50,000 versions of document and page libraries and SharePoint lists. However, the tool is limited for power apps data files (you can enable versioning for some but not all applications) and isn’t available for sites and subsite metadata. OneDrive ransomware protection and recovery also rely on versioning. 

Note that versioning involves full snapshots (not increments) that consume a lot of storage space, and 1,000 versions will increase your storage usage by 1,000 times. This makes versioning an expensive solution, as you’ll need to pay for additional storage. Sometimes, admins disable version history to save on storage. If this happens, versioning, and along with it, version recovery becomes unavailable. 

Retention Policies

Retention policies are available in Office 365 E3 and higher plans. They allow you to retain data copies for a specified time. However, unlike third-party backups, Microsoft retention policies rely on versioning that can’t be scheduled by users. This can result in data loss.

Additionally, all the retained files can be downloaded but not restored to the initial location. So if you need to restore many files at a time, it can take a lot of time and effort. 

Recycle Bins

Recycle bins provide the standard post-deletion retention. When a user deletes a file, it can be recovered within 93 days. Note that recycle bins also rely on versioning, so if the version history is turned off, recovery becomes impossible.

After 93 days, you can still recover the files from Microsoft SharePoint Online daily backups over the next 14 days. If OneDrive for Business files are stored in a SharePoint site collection, you can restore them as well. For this, you need to contact Microsoft support and request full site recovery. Note that in some cases your request approval can take several days. You also won’t be able to recover specific versions or separate items.

After 107 days, your data is permanently deleted and can’t be restored unless you have a third-party backup.

Third-party Backup Solutions

Native Microsoft recovery tools have limitations, including time-limited retention time and the absence of point-in-time recovery. The retention configuration and recovery process can be complicated and lengthy. What’s more, retained files can consume a lot of storage space and increase the overall cost of Office 365 services. 

Adopting a secure third-party backup solution can improve your recovery time objectives and reduce the damage caused by ransomware or human errors. Even Microsoft recommends having a backup solution to keep your data safe. 

Today’s backup solutions rely on incremental backups that store only changed data blocks and allow you to save storage space. Automation tools, scheduling, and flexible rotation schemes prevent data loss and ensure your business continuity. Finally, third-party solutions allow you to store backups offline and, thus, improve their resilience to ransomware attacks.

Wrapping up

Businesses can fall victim to ransomware even if their data is stored in the cloud. Microsoft Office 365 has comprehensive tools to prevent unauthorized access, phishing, and malware. However, as cyber crimes become more sophisticated, you need a more complex approach to Office 365 protection against ransomware. 

To minimize your data loss and improve your resilience to ransomware attacks, your data protection strategy should consist of ransomware awareness training, the use of Microsoft native protection solutions, and third-party backups. 

Shinely Ainsworth


Related Posts