Share via

Ransomware protection in Microsoft 365

Microsoft 365 includes defenses and controls that help protect your organization and its assets from ransomware attacks. You can organize these assets by domain, with each domain having its own set of risk mitigations.

Domain 1: Tenant level controls

The first domain includes the people in your organization and the infrastructure and services that your organization owns and controls. The following Microsoft 365 features are either on by default or can be configured to help reduce the risk of ransomware and recover from a successful compromise of assets in this domain.

Exchange Online

  • With single item recovery and mailbox retention, you can recover items in a mailbox that were inadvertently or maliciously deleted. You can roll back mail messages deleted within 14 days by default, and you can configure this period for up to 30 days.

  • You can configure additional retention policies within the Exchange Online service to:

    • Set retention for 1 year or 10 years and more
    • Apply copy on write protection
    • Lock the retention policy to achieve immutability

  • Exchange Online Protection scans incoming email and attachments in real-time as they enter and exit the system. This feature is enabled by default and offers filtering customizations. Messages that contain ransomware or other known or suspected malware are deleted. You can configure admins to receive notifications when this occurs.

SharePoint and OneDrive Protection

SharePoint and OneDrive Protection include features that help protect against ransomware attacks.

Versioning: Versioning retains at least 500 versions of a file by default, and you can configure it to retain more. If ransomware edits and encrypts a file, you can recover a previous version of the file.

Recycle bin: If ransomware creates a new encrypted copy of the file and deletes the old file, you have 93 days to restore the deleted file from the recycle bin.

Preservation Hold library: You can retain files stored in SharePoint or OneDrive sites by applying retention settings. When you apply retention settings to a document with versions, the versions get copied to the Preservation Hold library and exist as a separate item. If a user suspects their files are compromised, they can investigate file changes by reviewing the retained copy. File Restore lets you recover files within the last 30 days.

Teams

Teams chats are stored within Exchange Online user mailboxes and files are stored in either SharePoint or OneDrive. Microsoft Teams data is protected by the controls and recovery mechanisms available in these services.

Enhanced Microsoft 365 Recovery Tooling with Microsoft 365 Backup

In addition to these native built-in capabilities, Microsoft also recommends evaluating the use of Microsoft 365 Backup or a recognized partner solution built on top of the Microsoft 365 Backup Storage platform. The Microsoft 365 Backup tool compliments and extends native capabilities with a focus on fast, secure, and efficient self-service bulk recovery to recover your content quickly to a healthy pre-attack prior point in time. The Backup Storage platform is architected and purpose-built to provide enhanced restore capabilities for admins. Be aware that purchasing a partner solution that does not leverage the Microsoft 365 Backup Storage platform. Some partner solutions only copies your data to another location and will likely not provide sufficient performance restoration capabilities to meet your ransomware recovery needs. Learn more about how to select an appropriate backup and restore solution.

Domain 2: Service level controls

The second domain is the people that make up Microsoft the organization, and the corporate infrastructure owned and controlled by Microsoft to execute the organizational functions of a business.

Microsoft's approach to securing its corporate estate is Zero Trust, implemented using our own products and services with defenses across our digital estate. You can find more details about the principles of Zero Trust here: Zero Trust Architecture.

Additional features in Microsoft 365 extend the risk mitigations available in domain 1 to further protect the assets in this domain.

SharePoint and OneDrive Protection

Versioning: If ransomware encrypted a file in place, as an edit, the file can be recovered up to the initial file creation date using version history capabilities managed by Microsoft.

Recycle bin: If the ransomware created a new encrypted copy of the file, and deleted the old file, customers have 93 days to restore it from the recycle bin. After 93 days, there's a 14-day window where Microsoft can still recover the data. After this window, the data is permanently deleted.

Teams

The risk mitigations for Teams outlined in Domain 1 also apply to Domain 2.

Domain 3: Developers and service infrastructure

The third domain covers the people who develop and operate the Microsoft 365 service, the code, and infrastructure that delivers the service, and the storage and processing of your data.

Microsoft investments that secure the Microsoft 365 platform and mitigate the risks in this domain focus on these areas:

  • Continuous assessment and validation of the security posture of the service
  • Building tools and architecture that protect the service from compromise
  • Building the capability to detect and respond to threats if an attack occurs

Continuous assessment and validation of the security posture

  • Microsoft mitigates the risks associated with the people who develop and operate the Microsoft 365 service by using the principle of least privilege. This principle limits access and permissions to resources to only what is necessary to perform a needed task.
    • A Just-In-Time (JIT), Just-Enough-Access (JEA) model provides Microsoft engineers with temporary privileges.
    • Engineers must submit a request for a specific task to acquire elevated privileges.
    • Lockbox manages requests and uses Azure role-based access control (RBAC) to limit the types of JIT elevation requests engineers can make.
  • In addition to the above, Microsoft pre-screens all candidates before they begin employment. Employees who maintain Microsoft online services in the United States must undergo a Microsoft Cloud Background Check as a prerequisite for access to online services systems.
  • All Microsoft employees must complete basic security awareness training along with Standards of Business Conduct training.

Tools and architecture that protect the service

  • Microsoft's Security Development Lifecycle (SDL) focuses on developing secure software to improve application security and reduce vulnerabilities. For more information, see Security and Security development and operations overview.
  • Microsoft 365 restricts communication between different parts of the service infrastructure to only what is necessary to operate.
  • Extra network firewalls at boundary points secure network traffic and help detect, prevent, and mitigate network attacks.
  • Microsoft 365 services are architected to operate without engineers requiring access to customer data, unless the customer explicitly requests and approves access. For more information, see How does Microsoft collect and process customer data.

Detection and response capabilities

  • Microsoft 365 continuously monitors its systems to detect and respond to threats to Microsoft 365 Services.
  • Centralized logging collects and analyzes log events for activities that might indicate a security incident. The alerting system analyzes log data as it gets uploaded and produces alerts in near real time.
  • Cloud-based tools enable rapid response to detected threats. These tools enable remediation by using automatically triggered actions.
  • When automatic remediation isn't possible, the system sends alerts to the appropriate on-call engineers. These engineers have a set of tools that enable them to act in real time to mitigate detected threats.

Recover from a ransomware attack

For the steps to recover from a ransomware attack in Microsoft 365, see Recover from a ransomware attack in Microsoft 365.