Skip to main content

Ransomware is currently the biggest cybersecurity threat for organizations. According to new research done by CyberEdge, among 1200 IT professionals, 62% of organizations were affected by ransomware in 2020. Of those affected companies, 57% paid the ransom.

Now, you might think, “well, they got at least their data back.” Unfortunately, paying the ransom is not a guarantee that you will get your data back. A stunning 33% of the companies that paid the ransom still lost the data.

SharePoint and OneDrive come with a couple of solutions to protect your files. These solutions come in the form of versioning and first- and second-stage recycle bins, and some Microsoft 365 plans have Compliance Retention Policies.

OneDrive even has built-in detection for ransomware and will alert you when a lot of files get changed, allowing you to quickly restore them.

So, storing your files online in OneDrive or SharePoint might feel safe with versioning and the recycle bins, but without a proper backup solution, you’re still vulnerable to data loss. One of the problems is that some malware is capable of removing the version history (by copying the files and deleting the originals)—restoring files can thus be quite challenging.

When we talk about protecting data in Office 365, a lot of people rely solely on file versioning and the first- and second-stage recycle bin. These tools are great for the occasional restore action, but when it comes to restoring a lot of files, you will soon run into limitations.

Have you ever tried to restore a complete document library from the first-stage recycle bin?

You can’t simply select the folder and hit restore. You will have to select all the files and subfolders as well. We can of course use PowerShell in these cases to speed up the restore process, but it will still be a lot of work and prone to errors.

So the question is, how can we protect our data in Office 365 against ransomware? And what options do we have when it comes to recovery?

How can Ransomware infect files in OneDrive or SharePoint?

Before we take a look at what you can do to protect yourself against ransomware, let’s first take a closer look at how files in OneDrive or SharePoint can get infected.

Most people assume that files stored online can’t be infected. The problem, however, is that pretty much all the OneDrives are synced to a local device. And even with SharePoint, we see that a lot of users synchronize the document libraries with their devices.

Locally stored files are easier to work with, but they are also exposed to ransomware attacks.

When a device gets infected with ransomware, any files that are encrypted are simply synced backed to OneDrive or SharePoint.

Otherways to infect files

Even if you don’t sync the files, there are still ways for ransomware to encrypt them in OneDrive or SharePoint. Attackers can gain access to your Microsoft 365 environment after a successful phishing attack, encrypting all your OneDrive files.

Malware or phishing links that request permission to access your OneDrive are also a way for an attacker to gain access to your files.

Office 365 Ransomware Recovery

When you are hit with ransomware, the first thing you should do is stop the OneDrive sync on all computers and remove the infected machine from the network. By disabling the OneDrive sync, you might be able to recover the infected files from the other (not yet) infected machines.


Firstly, you could try to restore your files by reverting back to a previous version of the file. The problem with SharePoint is that you can’t do this for a whole folder at once—you will have to do it per file.

You could of course try to use PowerShell for this. The PnP library does have a cmdlet to revert the file version, but it will require you to write and test a script first.

With OneDrive is it a bit easier. You can revert your whole OneDrive up to 30 days:

  1. Open OneDrive in the browser and go to settings
  2. Select Restore your OneDrive
  3. Select a date and click Restore

Microsoft Backups

For SharePoint, your only real option to restore your files after a ransomware attack (if you don’t have a third-party backup) is to contact Microsoft and ask if they can restore a site for you.

Microsoft makes a daily backup of your data and keeps it for 14 days. If you need to recover from a ransomware attack, then without a third-party backup solution, this is your best option.

You will need to open a ticket at Microsoft support to recover the data; it can take up to 48 hours or sometimes even more before your data is restored. Another downside is that Microsoft only restores the complete site, so you can’t restore only one document library.

Keep in mind that those backups are not guaranteed: Microsoft even recommends using a third-party backup solution to keep your data safe.

Restoring with Compliance Retention Policies

Retention policies are only available on Microsoft Office 365 E3 and higher plans, so not everyone can use this feature. With retention policies, a copy of the file is kept when a file is created or modified. This allows you to always find and recover the original file and all the alterations of it.

The advantage of retention policies is that every change is kept, compared to a backup solution that can only take a couple of snapshots per day. So, in theory, it is a perfect backup solution—but there are a couple of downsides.

Data that is retained by retention policies count towards your storage quota. If you retain your data for a couple of years, then the extra storage that you need to buy can become really expensive.

The other problem is restoring the files. You can’t simply select a folder in the compliance center or a SharePoint site. You will have to create search queries to select and export the correct files that you need to recover.

If you have found the correct set of files, then you can only download the files and will have to upload them manually again.

Restoring files from the compliance center can be really time-consuming and should only be used as your last resort.

Microsoft 365 Ransomware Protection

To protect your data against ransomware you will have to use a layered approach. It all starts with educating your users on how to recognize phishing emails. Users are the middleman when it comes to ransomware infections.

Most ransomware is spread through phishing emails that will link to malicious documents or websites. Regularly informing your users about how to recognize phishing emails is really the first step. When I detect phishing mail, I always post them on Yammer, pointing out how they could recognize it.

Email Protection

As mentioned, most attacks start with phishing emails. We can use mail flow rules in Exchange Online to block malicious attachments. Simply create a new rule and block all messages with executable content.

I also like to block .zip files to the general mailboxes (like info or invoice mailboxes). These mailboxes always get a lot of spam/phishing emails, so if possible, simply block all the mails with a .zip file in them.

If you want to secure your Exchange Online even further, then a good option is to add Defender for Office 365. This adds protection against malicious links and unsafe attachments, and it provides better zero-day protection.

Enable Multi-Factory Authentication

There is really no reason not to enable multi-factor authentication. The Microsoft Authenticator app makes approving the MFA request really easy, and app passwords can solve legacy applications.

If a user is tricked into opening a phishing email, then the MFA will still protect the account from unauthorized access. Even with regular user training, some users will still enter their credentials on a phishing website. So, MFA is really a must.

Device Protection

The next step is to protect the devices. Besides the obvious points like keeping your anti-virus up-to-date, it’s also a good idea to implement a group policy with software restrictions. You can for example block executable files in the %appdata%%localappdata%, and temp folders.

Files that are automatically downloaded are 90% of the time stored in one of those folders. Blocking them by default can prevent malware from becoming active.


Even with all the security features that you can add to Office 365, like Advanced Threat Protection (ATP), Defender for Office 365, and Intune Device Management, you can still get infected with ransomware. And all these tools come at a cost, while the weakest link in your security is still your users.

Having a third-party backup solution allows you to recover the data quickly, minimizing the downtime and the risk of data loss. Modern Microsoft 365 backup solutions are capable of backing up not only SharePoint and OneDrive, but also Teams, OneNote, and workflows.

They not only protect you against ransomware but also from user errors such as accidentally deleting a whole team.

And keep in mind that even Microsoft recommends it:

Microsoft Services Agreement, chapter 6, paragraph bWe recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.

In addition to Microsoft 365, modern backup solutions also support Google Workspace, you can check Google Partner documentation if you want to learn more.

OneDrive Ransomware Protection

OneDrive is protected by Microsoft against ransomware with built-in ransomware detection. Microsoft actively monitors your OneDrive data and alerts you when it suspects a ransomware infection.

You can roll back your OneDrive up to 30 days, but keep in mind that this is based on the file versioning. Some ransomware is capable of copying the file, encrypting it, and removing the original, including all the versions. You might then be able to recover it from the recycle bin, but that is not guaranteed.

If you really want to keep your data safe, then third-party backups for OneDrive are your best option.

Wrapping Up

I hope you found this information useful for protecting your Microsoft 365 data against ransomware. Using a layered approach is always the best when it comes to securing your data.

Make sure you train and inform your users regularly on recognizing phishing mail. If you have any questions, feel free to drop a comment below!