Office 365 Ransomware Protection and Recovery: A Complete Overview

Nowadays, ransomware is considered one the biggest threats to modern businesses since it can affect all types of data including Microsoft 365 files and documents. In fact, more than 304 million attacks occurred globally in 2020, with the average ransom payment coming to $812,360. And the infiltration methods are getting more sophisticated every year.

According to its Shared Responsibility Model, Microsoft provides users with various Office 365 ransomware protection tools. However, organizations using Office 365 are responsible for configuring these tools to safeguard their data from threats as well as use third-party tools to ensure its recoverability.

This post details the built-in Microsoft ransomware protection and recovery features that allow you to secure your environment and restore your data following a ransomware attack.

Native Office 365 Ransomware Protection Options

Microsoft 365 Defender

Microsoft Purview Information Protection

Additional Office 365 Ransomware Protection Tools

Microsoft Ransomware Recovery Methods


Recycle Bin

Compliance Retention Policies

Preservation Hold Library

Third-Party Backup Solutions

Native Office 365 Ransomware Protection Options

Microsoft subscriptions include several built-in capabilities that allow you to protect your tenant and mitigate the risks in case of a security incident. Using the tools found in Exchange Online Protection (EOP) and Microsoft Defender, you can detect, monitor and deter attacks before they infiltrate and spread across your network.

Keep in mind that Microsoft ransomware protection features have limitations and do not offer complete immunity against infections, especially when it comes to user-initiated malware, for example.

Microsoft 365 Defender

Most of the security and identity theft tools you need can be found in Microsoft 365 Defender and Microsoft Defender for Office 365 since they combine numerous monitoring and protection capabilities. Additionally, you can use Microsoft Defender for Identity and Microsoft Defender for Endpoint to find compromised devices that can be the source of a breach.

The most important Office 365 ransomware protection features included in Microsoft Defender are listed below.

  • Threat investigation and response

This is a set of capabilities that help administrators scan their environment and collect data on potential threats. The threat investigation and response workflow gathers information using threat trackers from different sources such as infected computers, previous incidents, user activity and more. The necessary response actions are then implemented to address risks in OneDrive for Business, SharePoint Online, Exchange Online and Microsoft Teams.

  • Anti-phishing protection

Social engineering schemes like phishing attacks are the number one ransomware attack vectors. Microsoft Defender for Office 365 uses advanced algorithms and a set of features to automatically detect phishing attacks and protect Office 365 data.

Spoof intelligence: These insights allow you to detect and automatically restrict spoofed senders in messages from internal or external domains. You can also manually allow or block identified senders in the Tenant Allow/Block List.

Anti-phishing policies: Configure various settings such as impersonation protection, mailbox intelligence and advanced phishing thresholds. Additionally, you can specify the action for blocked spoofed senders.

Implicit email authentication: Identify forged senders by checking inbound email using advanced techniques like sender reputation, sender history, behavioral analysis and more.

Campaign views: Detect and analyze messages that are involved in coordinated phishing campaigns.

Attack simulation training: Administrators can create fake phishing messages and share them with users within their network to test their preparedness and conduct ransomware awareness training.

  • Anti-malware protection

The multi-layered malware protection in EOP automatically detects different types of incoming and outgoing malware including viruses, spyware and ransomware. This is done using the following features:

Layered defenses against malware: Several anti-malware scan engines safeguard your organization against known and unknown threats. These engines provide Office 365 ransomware protection even during the early stages of an outbreak.

Real-time threat response: Your security team can gather enough information about a virus or malware to create specific policy rules and immediately publish them across the network.

Fast anti-malware definition deployment: Anti-malware engines are constantly updated to include new patches and malware definitions.

  • Controlled folder access

By enabling real-time protection in Microsoft Defender Antivirus, you can manage Controlled folder access settings to protect Office 365 files and data from malicious apps and ransomware. This feature checks applications against a list of known apps and allows only trusted ones to access protected folders. In case of malicious activities, you receive a notification showing you which app attempted to make unwanted changes to a protected document.

  • Microsoft Defender for Cloud Apps

Moving to the cloud introduces new security risks that could endanger your data during storage or travel. Microsoft Defender for Cloud Apps provides Microsoft Enterprise plans with advanced control, powerful visibility, and robust cyberthreat detection across Microsoft and third-party cloud services.

The main capabilities that ensure Office 365 ransomware protection are:

Discover and control the use of Shadow IT: Identify cloud apps and services used by your organization, investigate usage patterns and assess business readiness against multiple risks.

Protect sensitive information in the cloud: Implement policies and automated processes to control and safeguard sensitive data in real-time across all cloud apps.

Deter cyberthreats and anomalies: Detect unusual behavior, ransomware, compromised computers and malicious applications. Analyze high-risk usage patterns and automatically remediate threats.

Assess the compliance of cloud apps: Make sure your applications meet the required regulatory compliance and industry standards.

  • Microsoft Defender SmartScreen

Microsoft Defender SmartScreen offers protection against malware or phishing applications and websites. Potentially malicious files are automatically blocked and the user is notified. Visited webpages are analyzed and checked against a list of reported phishing and malicious sites. While downloaded apps or app installers are checked against a list of reported malicious programs known to be unsafe.

Microsoft Purview Information Protection

Office 365 ransomware protection is not only about preventing attacks. Optimal data governance processes can also reduce the threat of data loss via ransomware. Using different features in Microsoft Purview Information Protection, you can identify, classify and protect sensitive data, in-flight or at rest.

  • Data loss prevention (DLP)

Defining and applying DLP policies prevent users from inappropriately sharing sensitive data with unauthorized personnel and limit the risk of data loss. More importantly, DLP allows you to monitor user activities on sensitive items. These items can also be moved and locked in a secure quarantine location to stop ransomware infections from reaching them.

  • Sensitivity labels

Configure and apply sensitivity labels to data you deem as potentially ransomable such as sensitive emails or documents. Protect Office 365 files by marking the content or encrypting the data to make sure that only authorized users can access it.

Additional Office 365 Ransomware Protection Tools

Microsoft provides more features that mitigate the risk of ransomware and limit data loss:

  • Exchange email settings: Phishing emails are the main method used in a ransomware attack. Configuring Exchange email settings reduces your organization’s vulnerability to an email-based attack by stopping the initial access to your tenant.
  • Multi-factor authentication: Enabling modern authentication in Office 365 adds a second layer of protection to the sign-in process and drastically lowers the chance of credential compromise.
  • Microsoft secure score: This tool continuously measures the security posture of your organization and suggests improvements to help you protect Office 365 data.
  • Attack surface reduction rules: Decrease your vulnerabilities to cyber attacks by configuring the necessary settings. Block suspicious activities before they infect your entire network.

Microsoft Ransomware Recovery Methods

Sometimes, all protection options fail and you are hit by a ransomware attack. In this case, you should immediately stop OneDrive sync on all connected devices and disconnect the infected devices from the network. If done in time, there’s a high chance that the infected files still have unencrypted copies stored on other drives.


When enabled, versioning allows you to automatically save multiple versions of the same document in SharePoint Online, Exchange Online and OneDrive for Business. By default, the number of versions is limited to 500 but you can increase it to 50,000.

You can revert back to previous versions that were created before the ransomware attack and restore them when you need to. Keep in mind that versioning does not offer complete protection against ransomware since some infections can also encrypt all versions of a document.

Note: Storing several versions requires additional storage space.

Recycle Bin

In some cases, ransomware attacks remove the original file and create a new encrypted version that you cannot use. The recycle bin can be used as a Microsoft ransomware recovery tool since it helps you restore deleted files within a span of 93 days.

Even after this period expires and the item is removed from both stages of the recycle bin, you have a 14-day window to contact Microsoft support to request data recovery. After this window closes, the data is permanently deleted.

Compliance Retention Policies

Create rules that define how long you preserve Office 365 files and documents. This allows you to configure which data can be deleted and when. You can automate this process by setting retention policies for specific content types.

Note: Compliance retention policies are only available for Microsoft 365 E5, A5 and G5 subscription plans.

Preservation Hold Library

By applying retention settings, data synced to OneDrive or SharePoint can be stored for a specified period of time in the Preservation Hold Library. The In-Place Hold feature ensures that a copy remains unchanged and unaffected by ransomware infection. Following an attack, the user can access the library and export the needed files.

Third-Party Backup Solutions

There are different Office 365 ransomware recovery methods that you can use to restore your infected data. Keep in mind that, similar to Microsoft ransomware protection features, these tools have their limitations and might not guarantee data recoverability.

Microsoft does not back up Office 365 data but offers retention policies instead for Exchange Online, SharePoint Online and OneDrive for Business. On the other hand, modern backup solutions for SaaS provide optimal data protection and safety in case of a cyber breach. Your data can be stored in secure repositories and quickly recovered following an attack.

Wrapping Up

Nowadays, ransomware attacks are the most dangerous threat to organizations since they can affect any type of data including Office 365 documents and files. Luckily, Microsoft provides built-in Office 365 ransomware protection and recovery tools that continuously monitor and protect your environment.

However, these native tools have their limitations and a third-party backup solution is necessary to safely recover your data after an infection. Download the NAKIVO Backup for Office 365 free edition to check out all the advanced tools and functionalities that help you ensure data recoverability.

People also read