Microsoft Ransomware Prevention

Protecting customer data from malware

Malware can be viruses, spyware, and other malicious software. Microsoft 365 has protection mechanisms that prevent malware from being introduced to Microsoft 365 from a client or a Microsoft 365 server. Anti-malware software is a key mechanism to protect Microsoft 365 assets against malicious software. Anti-malware software prevents the introduction of malicious software, rootkits, rootkits, and malware into service systems. Anti-malware software can be used to detect and prevent malicious software from entering service systems.

Every anti-malware tool tracks which version of the software is being used and what signatures are active. The appropriate anti-malware software for each service team centrally manages the automatic downloading and application of signature update updates at least once daily from the vendor’s virus definition site. These functions are centrally managed using the anti-malware software on each service team’s endpoint:

  • Automated scanning of the environment
  • Periodic scans of your file system (at most weekly)
  • Live scans of files, as they are being downloaded, opened, or executed in real-time
  • Automatic downloading and application of signature update updates at least once daily from the vendor’s virus definition website
  • Removal, cleanup, and mitigation of malware detected

Anti-malware tools block malware detections and send an alert to Microsoft 365 security team personnel, Microsoft 365 Security, and/or the security compliance team at the Microsoft organization that manages our datacenters. The incident response is initiated by the receiving personnel. The incident is tracked and solved, and post-mortem analysis of the incident is done.

Exchange Online Protection against malware

Exchange Online Protection (EOP) is the gateway to all Exchange Online email messages. It scans and quarantines in real-time every email and attachment that enters and leaves the system for malware and viruses. Administrators don’t need to configure or maintain filtering technology; they are automatically enabled. Administrators can however customize filtering settings for their company using the Exchange admin center.

EOP provides multilayered protection by using multiple anti-malware engines. This is designed to capture all known malware. All messages sent through the service will be scanned for malware, including viruses and spyware. Messages that are found to contain malware will be deleted. When an infected message is deleted or not delivered, administrators and senders may be notified. You have the option to replace infected attachments with custom or default messages. This will notify the recipients about malware detection.

These are some ways to protect yourself from malware:

  • Layered Protection Against Malware Multiple anti-malware scanner engines are used in EOP to protect against known and unknown threats. These engines have powerful heuristic detection capabilities to protect against malware infections in the early stages. Multi-engine protection is significantly better than using one anti-malware engine.
  • Real-time threat response – In some cases, the anti-malware group may have enough information to create policy rules that detect malware and viruses even before any definitions are available from the engines. These rules are posted to the global network every two hours to give your organization an additional layer of protection against attacks.
  • Quick Anti-Malware Definition and Deployment The anti-malware team has close relationships with anti-malware engine developers. The service can receive and integrate patches and malware definitions before they are released publicly. These partners are often able to help us develop our solutions. Every hour, the service checks for new definitions of all anti-malware engines.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 provides email protection that includes additional protection against advanced threats such as malware and viruses. Exchange Online Protection uses a multi-engine anti-virus engine that protects against known viruses and malware. Microsoft Defender for Office 365 adds additional protection with Safe Attachments. This feature protects against unknown viruses and malware and offers better zero-day protection to protect your messaging system. All attachments and messages that do not contain a known virus/malware sign are sent to a hypervisor environment. There, behavior analysis is done using various machine learning and analysis techniques to identify malicious intent. The message will be delivered to the mailbox if it is not detected as suspicious.

Exchange Online Protection scans every message in transit in Microsoft 365. It also provides time delivery protection and blocks malicious hyperlinks. Sometimes attackers try to disguise malicious URLs using seemingly safe links. These links are then redirected to unsafe sites by a forwarding company after the message has been sent. If they click on such links, Safe Links protects them. This protection is maintained every time users click on the link. Malicious links are dynamically blocked, while good links remain accessible.

Microsoft Defender for Office 365 offers rich reporting and tracking capabilities. This allows you to gain crucial insights into who’s being targeted within your organization, and what type of attacks are occurring. You can use the URL trace feature to trace malicious links within messages.

For more information on Microsoft Defender for Office 365 and Microsoft Defender to Office 365, please visit Exchange Online Protection.

SharePoint Online and OneDrive for Business Protection Against Ransomware

Ransomware attacks come in many forms, but the most prevalent is when a malicious individual encrypts a user’s files and demands money or information in return for the key to unlocking them. Ransomware attacks, especially those that encrypt files stored in the user’s cloud storage, are increasing. You can find more information on ransomware at the Microsoft Defender Security Intelligence website.

Versioning is used to protect SharePoint Online lists, SharePoint Online, and OneDrive for Business libraries against ransomware attacks. OneDrive for Business and SharePoint Online both have versioning enabled by default. SharePoint Online site lists have versioning enabled. This allows you to look at older versions and retrieve them if needed. This allows you to retrieve versions of items that were created before the ransomware encrypted them. For audit or legal purposes, some organizations may also keep multiple versions of the items on their lists.

SharePoint Online and OneDrive Business Recycle Bins

SharePoint Online administrators can restore deleted sites collections using the SharePoint Online admin center. SharePoint Online users can access the Recycle Bin to retrieve deleted content. If they have to, they can access the Recycle Bin to retrieve deleted lists and documents. The Recycle Bin is kept for 93 days. The Recycle Bin captures the following data types:

  • Site collections
  • Sites
  • Listed
  • Libraries
  • Folders
  • Items to be added to the list
  • Documents
  • Web Part pages

The Recycle Bin does not capture site customizations made using SharePoint Designer. Retrieve deleted items from the site collection recycle box for more information. Also, see How to restore a deleted site collection.

Versioning doesn’t protect against ransomware attacks, which copy files, encrypt them, and then delete the original files. End-users have the option to use the Recycle Bin to retrieve OneDrive for Business files following a ransomware attack.

This section explains in greater detail how Microsoft protects your company and assets from cyberattacks.

Microsoft’s response to ransomware attacks

Microsoft has implemented defenses and controls to protect your assets and organization from ransomware attacks. Assets can be organized according to the domain, with each domain having its set risk mitigations.

Domain 1: Tenant level controls

The first domain includes the people and infrastructure that your organization controls. To help reduce the risk and recover from a successful breach of assets, the following features are available in Microsoft 365.

Exchange Online

Customers can retrieve items from a mailbox after an accidental or maliciously premature deletion with mailbox retention and single item recovery. Customers can roll back any mail messages that have been deleted by default within 14 days. This is configurable up until 30 days.

These retention policies can be configured for additional customers via the Exchange Online service.

  • Configurable retention can be applied (1-/10 years+)
  • Copy on Write Protection to be used
  • The ability to lock the retention policy so that it is immutable
  • Exchange Online Protection scans all incoming emails and attachments, both in real-time and when they leave the system. This feature is available by default. You can also customize filtering settings. Messages containing ransomware and other known or suspected malware will be deleted. Administrators can be configured to receive notifications when this happens.

SharePoint Online and OneDrive for business protection

SharePoint Online and OneDrive for Business Protection include features that protect against ransomware attacks.

Versioning: Versioning keeps a minimum of 500 versions of files by default, but can be configured to keep more. If ransomware encrypts or edits a file, it can be restored to a previous version.

Recycle Bin: Customers have 93 days to retrieve the file from the recycle bin if ransomware creates an encrypted copy of the file and deletes the original file.

Preservation Library: SharePoint and OneDrive files can be kept by using retention settings. If a document contains versions, it is subject to retention settings. Versions are copied to the Preservation Hold Library and stored as an item. Users can review the retained copy if they suspect their files may have been compromised. File Restore is a tool that can be used to retrieve files within the last 30 calendar days.


Chats between Teams are stored in Exchange Online user mailboxes, while files are stored either in SharePoint Online or OneDrive Business. Microsoft Teams’ data is protected using the recovery and controls available in these services.

Domain 2: Service level controls

The second domain concerns the people who make up Microsoft, as well as the corporate infrastructure that Microsoft owns and controls to carry out the business functions.

Microsoft’s Zero Trust approach to protecting its corporate estate uses our products and services, with defenses across the digital estate. More information about Zero Trust can be found here: Zero Trust Architecture.

Microsoft 365 also offers additional features to enhance the risk mitigations in domain 1, which further protects the assets of this domain.

SharePoint Online and OneDrive for business protection

Versioning – If ransomware has encrypted a file, it can be edited to make it editable. The file can then be recovered using Microsoft’s version history capabilities.

Recycle Bin: Customers have 93 days to retrieve the file from the recycle bin if ransomware creates a new encrypted copy and deletes the old one. Microsoft has a 14-day window to recover data after 93 days. The data is permanently deleted after this window.

Exchange Online

Database availability groups (DAGs) protect against mailbox data corruption in Exchange Online. Exchange Online offers 4 database availability groups. 1 is active, and 4 are lagged after 14 days delay in transaction logs.

Ransomware attacks can affect the mailbox server hosting the active copy of a transaction. Customers will not be able to see the failover to the other active DAG. To fall back to the lagged DAG, all three copies of mail transactions in the active databases must be affected by ransomware. Ransomware attacks are less effective if there is no isolation mechanism.

Teams – The same risks mitigations for teams as in domain 1 apply to domain 2.