How to Protect Your Microsoft Office 365 Data From Ransomware

Subscribe banner

Enterprises that rely on Microsoft Office 365 as their main productivity toolset are vulnerable to internal and external data protection threats. Chief among external data protection threats is ransomware. If the threat of ransomware is not properly addressed, the resulting data loss can lead to disruptions to a company’s operational workflow and sizable financial and reputational losses.

In this article, you can find actionable advice on how to protect Microsoft Office 365 data against ransomware.

The Rising Threat of Ransomware

Ransomware cases have hit a record high during the past half-decade. According to the latest report by Cybersecurity Ventures, ransomware damage costs went up from $325 million in 2015 to $20 billion in 2021 - that’s a staggering increase of 57 times.

Small businesses, larger organizations, and government agencies are all vulnerable to ransomware attacks. One of the most recent ransomware incidents involved FujiFilm, a world-renowned company known for its photography-related products. In June 2021, a ransomware attack stopped FujiFilm’s operations for 3 days. Fortunately, the company was able to restore the entirety of its data from backups.

Ransomware comes in different forms, with the most common type being crypto-ransomware. When it gains access to a system, this particular type encrypts the files and data, thus making the content inaccessible. A specified amount of money or valuable information is demanded in exchange for the key to decrypt the infected data.

Due to the recent shift towards remote work, cybercriminal groups appear to have expanded their activities across major cloud-based platforms, including Microsoft Office 365, the leading comprehensive online suite of applications.

Before we start

If you're looking for a robust solution to help you keep your Microsoft 365 data safe against ransomware attacks, use NAKIVO Backup & Replication. The solution offers incremental Microsoft Office 365 backup for Exchange Online, OneDrive for Business, and SharePoint Online data, allowing you to seamlessly incorporate data protection measures into daily IT workflows.

NAKIVO Backup & Replication allows you to restore entire folders, single files, sites, mailboxes, calendar items, and individual emails from your Microsoft Office 365 environment. Keep your data safe and accessible at all times with the Free Edition of NAKIVO Backup & Replication.

Ransomware Awareness

It is important to educate users about ransomware, the damages it causes, and how to avoid it. The human element is still the biggest factor in enabling malicious software and facilitating its spread across systems. Nowadays, it is simply a necessity to conduct regular ransomware awareness training in modern enterprises to reduce data vulnerabilities.

Ensure that all employees know that attackers often send fraudulent emails meant to trick users into sharing personal information, such as passwords. Attackers urge their victims to download and install a malicious file posed as a mandatory system update. Therefore, users should carefully verify the sender’s email address before replying to an email and opening attachments or links. Attackers usually use concealed or fake addresses that might look convincing to the average user.

When surfing the web, users should also pay close attention to the URL of the page they’re about to disclose valuable information to. Webpage addresses for secure environments must include the padlock symbol followed by https.

Microsoft Defender for Office 365

To protect data against compromise by ransomware and other malicious threats, Microsoft has implemented Defender for Office 365 (previously known as Office 365 Advanced Threat Protection), which is an integrated cross-domain threat detection and response solution. Microsoft Defender for Office 365 can help protect, detect, investigate and remediate a wide range of malware types in real-time across Office 365.

Microsoft Defender automatically recognizes and blocks new threats that are undetectable by traditional anti-malware solutions. Those threats are most commonly referred to as zero-day threats.

Most antiviruses rely on security organizations to first analyze a new threat sample to create a signature file that can be added to the anti-malware database through a software update. Only then can a traditional antivirus successfully identify the new threat.

On the other hand, Microsoft Defender for Office 365 helps to stop attacks before they happen by carrying out crucial prevention and detection tasks, including filtering incoming data and monitoring suspicious behavior.

During recent years, malicious groups have carried out their most successful attacks through the email route. In fact, the most common ransomware delivery system used by attackers is a phishing email.

Anti-Phishing Protection

Phishing emails are meant to deceive a recipient into clicking a hyperlink or revealing login details or other sensitive information. If the user complies and downloads the attached files or follows the links, ransomware software is installed on the device in use.

Microsoft Defender for Office 365 includes a dedicated feature for anti-phishing. It can be custom-tailored to fit the user’s needs.

Anti-phishing in Microsoft Defender for Office 365 uses advanced algorithms to automatically and instantaneously detect phishing attacks. Specifically, Microsoft Defender employs techniques such as users and domains impersonation protection, mailbox intelligence, and spoof intelligence that are detailed below.

Before activating the anti-phishing protection feature in Microsoft Office 365, first, define anti-phishing policies in the Office 365 Security & Compliance Center.

Threat Policies

An anti-phishing policy with the recommended settings is already set by default in Defender and always turned on. Nevertheless, to optimize security measures, create a new policy.

Applied filters

To create a new anti-phishing policy, go to Threat Management > Policy > Anti-Phishing. Then choose the users, groups, and domains that the policy applies to.

Users Groups and Domains

The next page titled Phishing Threshold & Protection offers the following settings and customizable features to keep your account secure.

Phishing Threshold and Protection

  • Phishing email threshold: Choose how Defender reacts when a phishing activity is detected in a message. There are 4 levels of sensitivity to pick from standard, aggressive, more aggressive, and most aggressive. Each level determines the severity of the action taken against the message depending on the degree of confidence that an incoming message is a phishing attempt. However, at the most aggressive level of sensitivity, genuine emails are mistaken for phishing attempts and the system reacts to the false positive.
  • Impersonation: Defender protects the Office 365 internal email addresses of users and external emails of partners, customers, and other frequently contacted individuals or organizations from being impersonated. When impersonated, an email address is usually used for malicious purposes such as identity theft or ransomware dissemination.

An impersonated email address can look similar to a real sender or domain. For example, an impersonation of is To the untrained eye, the sender’s email address looks to be indistinguishable from a real user’s address.

To counter the phishing threat, do the following:

  • Enable users to protect: Internal and external users specified in the Users, Groups, and Domains are protected from being impersonated as email senders. On the other hand, recipients (all users) are included in the default anti-phishing policy and therefore protected from receiving malicious content sent from impersonated addresses.

Up to 350 protected users can be specified per policy. It is highly recommended to prioritize the protection of key users such as the CEO, CFO, senior managers, and staff handling financial transactions, like accountants.

  • Enable domains to protect: Domains that are owned by Office 365 users can also be impersonated. Attackers usually resort to techniques such as typosquatting to trick the users into believing that the email is sent from a trusted source. Typosquatting refers to replacing characters or introducing an imperceptible change in a genuine domain’s name. A case in point is: an impersonation of is

A maximum of 50 protected domains can be specified per policy.

Enable Mailbox Intelligence

  • Enable mailbox intelligence: Defender builds a database around the user’s communication routine to help detect and prevent ransomware attacks that use phishing emails. This setting helps Defender for Office 365 tell legitimate senders apart from impersonated senders.
  • Enable spoof intelligence: While spoofing is often used for legitimate reasons such as appointing a third-party sender to advertise your products on your behalf through bulk mail, this technique is also employed in fraudulent schemes and ransomware attacks against organizations. Spoof intelligence automatically blocks the suspicious emails but also allows the user to manually override the verdict and add the sender as an entry into the “Tenant Allow/Block” list.

On the next page, the administrator chooses the actions to be taken, in this current policy, if messages were identified as impersonated users and domains or as spoofs. The actions include: quarantine the message (to be reviewed later by an administrator), redirect message to other email addresses, move the message to the recipient's junk folder, delete the message before it’s delivered, or simply don’t apply any action.


After reviewing your settings and saving your progress, Microsoft Office 365 takes up to 30 minutes to fully apply the new policy across all data centers.

Microsoft Office 365 Ransomware Recovery Methods

When a ransomware attack is detected, the first essential step is to turn off sync on all devices connected to the infected user(s). Also, the infected system must be instantly disconnected from the network. This helps contain the spread of ransomware across devices connected to the network and therefore limits the damage. If done in time, there’s a high chance that the infected files still have unencrypted copies stored on other drives.

After being hit by ransomware, there are still native Office 365 measures the user can take to recover the infected data. They may have some limitations but might help save some time and effort.


In SharePoint Online, Exchange Online and OneDrive, versioning help protect data from ransomware attacks, at least in most cases. When enabled in SharePoint Online lists and OneDrive for Business libraries, versioning automatically saves the last 500 versions of any given document. This helps the user recover any version of a file that precedes a ransomware attack.

Through versioning, OneDrive allows the user to revert the entire drive within a 30-day time frame. With SharePoint Online, on the other hand, files need to be recovered individually, as complete folder recovery is not achievable (at the time of writing this post).

Exchange Online incorporates a feature called Database Availability Groups (DAGs) that periodically duplicates the user’s mailbox data and creates copies that are stored in Microsoft data centers.

However, versioning in Office 365 does not offer full protection against a type of OneDrive ransomware attack that copies files, encrypts them, and then completely deletes their original version. In case of such an attack, users can resort to the Recycle Bin to recover OneDrive for Business data.

Recycle Bin

In some cases, ransomware groups create a new encrypted version of a file, then delete the original. Microsoft gives the user a time span of 93 days to restore the deleted files from the Recycle Bin. After that, there’s a 14-day window when Microsoft can still recover the data. When that window closes, the data is permanently deleted.

Preservation Hold Library

By applying retention settings, data synced to OneDrive or SharePoint can be preserved for a specified period of time. When a file has retention settings enabled, revisions are stored in the Preservation Hold library. In the case of a ransomware attack, the user can access the retained copy and check for changes to assess the damage.

Third-Party Backup Solutions

To have full control over your Microsoft Office 365 data and avoid downtime, reputational damage, and financial harm, adopting a highly secure third-party backup solution may be the best option for your organization. Microsoft does not back up Office 365 data but offers retention policies instead for Exchange Online, SharePoint Online, and OneDrive for Business. With a retention policy in place, users are not allowed to delete any file in their mailboxes or sites, and this can heavily consume storage over time. Deploying a third-party backup solution not only improves your recovery time objectives but also significantly mitigates the damage caused by a ransomware attack or human error.

Wrapping Up

Microsoft Office 365 is protected in real-time by Defender against most malicious attacks. Its built-in ransomware detection system continuously scans the data and warns the user when suspicious activity occurs.

However, if ransomware does get through, native restore solutions like versioning and recycle bin can be of some help. In many cases, a third-party backup option may be the best alternative to protect Microsoft Office 365 against ransomware. NAKIVO Backup & Replication is a fully-featured, comprehensive solution for Microsoft Office 365 backup. Use the solution to quickly recover valuable data after a ransomware attack and keep downtime to a minimum.

For more information about how to successfully recover from ransomware attacks, please watch NAKIVO’s detailed webinar on the topic.

Let’s Stay in Touch

Subscribe today to our monthly newsletter
so you never miss out on our offers, news and discounts.