Can Ransomware Affect Microsoft (Office) 365?

Microsoft 365 is stringently secure with zero-trust architecture, continuous security assessment, the principle of least privilege, and security awareness training for its employees. However,  it cannot protect you from attacks or data loss at your end due to malware, ransomware, human error, sync issues, or malicious deletion. Email phishing is the main vector driving ransomware attacks and the ubiquitous Microsoft Office 365 email is heavily targeted. With its valuable personal and business-critical data, there have been growing reports of Microsoft Office 365 being hit by sophisticated attacks of ransomware – WannaCry, Cerber, Wickr/Hello, and others.

It takes one click on a phishing link in an email or Teams chat for ransomware to enter into your network. Once in, the ransomware can either delete, encrypt or exfiltrate Microsoft Office 365 data stored in Exchange, OneDrive, Outlook, Calendar, and Sharepoint. Microsoft has taken note and comes with an armament of tools to protect data from ransomware such as the Exchange Online Protection (EOP) and  Microsoft Defender.

What are the Native Microsoft (Office) 365 Options for Ransomware Protection?

Ransomware Protection

1. Assess your organization’s security configuration with Microsoft Secure Score.
2. Use Microsoft Data Loss Prevention (DLP) policies to detect, warn, and block sharing of sensitive data.
3. Use Microsoft Defender for Cloud Apps to monitor and block the download of sensitive data.
4. As the main vector is phishing, configure Exchange email settings to industry-standard security configuration.
5. Multi-Factor Authentication (MFA) is a formidable defense against a malware attack (and an Office 365 mandate). Make sure that MFA is required.
6. Use Microsoft Information Protection to label sensitive “ransomable” data.

Ransomware Detection

1. Regularly scan devices that are synchronizing data or targets of mapped network drives with Windows Defender or (for older clients) Microsoft Security Essentials.
2. As files encrypted locally can be synched to Microsoft 365 Site/OneDrive, immediately disable Exchange ActiveSync and OneDrive sync if there is a purported ransomware attack.
3. Use Microsoft Defender for Identity and Endpoint to zone in on compromised identities and devices.

Ransomware Recovery

1. Recover using Office 365 retention/archival policies: Setup a conservative Office 365 retention policy (steps here) or an Office 365 archive to be able to recover your data
2. Recover using SharePoint Online and OneDrive versioning, Recycle Bin, and/or Preservation Hold library:
3. Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a previous point in time within the last 30 days.
4. Advanced protection such as sandboxing is available in Microsoft Advanced Threat Protection or Microsoft Defender for Office 365, however it is only available in premium plans.

Limitations of Native Microsoft (Office) 365 Options for Ransomware Protection

“Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications. You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.“

Microsoft Documentation

Microsoft clearly reminds its customers about the Microsoft Shared Responsibility model, whereby the onus of protecting your data lies squarely with you.

1. While it equips you with ransomware recovery tools – all the native options typically can restore data only for up to 90 days. The time taken to detect a breach can vary from weeks to months.
2. Recovery by native methods such as archival or retention is tedious and leads to a compromised Recovery Point Objective (RPO) and Recovery Time Objective (RTO) – the key factors that determine seamless business continuity and lowered downtime.
3. If users or admins delete the data, it will override the retention policy and will be removed from Microsoft 365 applications.
4. The storage costs of retention can be significant crossing the 11TB limit of Microsoft 365. The costs can rack up especially if you are planning to use the Retention policies as backup – for a period of 3 years. That will require you to purchase additional storage even while incurring license upgrade costs to the most expensive Enterprise plan.

Ransomware Recovery with SaaS Backup

“Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.”

Cybersecurity and Infrastructure Security Agency (CISA)

While Microsoft Office 365 ransomware protection policies help to protect your data, they fall short as far as ransomware recovery is concerned. Downtime is the most damaging repercussion of a ransomware attack and limiting it can significantly mitigate the risk and cost. Critically, seamless recovery blunts the ransomware attack, for if you can get the data back with a few clicks, paying the ransom is moot. This is why the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) strongly advises backup to quickly restore a non-encrypted version of data, thus recovering quickly from ransomware and reducing its damages. More specifically, it recommends backup on the cloud rather than backup on-premises. This is because the backup storage is abstracted from the infrastructure being attacked in keeping with the best practice of the 3-2-1 rule of backups.

CloudAlly’s pioneering and top-rated comprehensive Microsoft 365 Backup and 1-click recovery secures all your Microsoft 365 data from loss – Mail, Calendar, Contacts, Tasks, Groups/ Teams, OneDrive, SharePoint, and Public Folders. Recover an accurate copy of your data from ransomware in minutes

Start a free, full-feature 14-day trial – Zero setup and no credit card information required