How to achieve clean and confident Microsoft 365 recoveries with Cohesity

With Exchange Online, OneDrive, and SharePoint Online, Microsoft 365 helps organizations collaborate and communicate. But that also makes it an attractive target for attackers seeking to compromise enterprise data. 

Threat scanning plays a key role in cyber resilience. Scanning your secondary data for potential threats can provide an additional line of defense and helps prevent reinfection during recovery.

Cohesity helps thousands of organizations like Nasdaq, Ausenco, and many more to secure and protect their Microsoft 365 deployments—and we’re always innovating to help you stay ahead of bad actors. Today, we're introducing new threat scanning capabilities for Cohesity Data Cloud to detect indicators of compromise (IOCs) in OneDrive, Exchange, and SharePoint Online data. 

You can choose from multiple sources of regularly updated detection content in Cohesity Data Cloud. These options include:  

• CrowdStrike Falcon Adversary Intelligence Feeds—via a bring-your-own-license model
• Built-in YARA feeds (powered by Google Threat Intelligence) 
• Custom YARA rules

Here’s how to use our newest advanced threat detection capabilities for your Microsoft 365 environment.

How to scan for Microsoft 365 threats with Cohesity Data Cloud

1. Select the Microsoft 365 workload you’d like to run a scan on:
   

   

2. Schedule your threat scan to run immediately or at a scheduled time:
   

   

   Cohesity has long supported the best practice of running regular threat scans. Now, you can control the frequency of scans from daily, weekly, to monthly. Depending on the risk or workload type, you have the flexibility to scan as you need.
3. Analyze and ingest your threat scan results:
   

   

   Our platform, Cohesity Data Cloud, includes a built-in high-quality threat feed powered by Google Threat Intelligence. The platform also supports integration with threat feeds you may already be using (such as CrowdStrike Falcon Adversary Intelligence in a bring-your-own license model), and threat hunting with custom YARA rules. Results and alerts from your threat scan will all show up in a single-pane of glass right in your Cohesity console.
4. Investigate and remediate threats to ensure that your secondary data is free of malware:

   

   After the scan runs, Cohesity turns IoC detections into security-ready findings you can actually act on. Investigate and remediate these threats to prevent further compromise and identify clean recovery points.  
   
   From there, you can also feed these alerts and IoCs into the tools your security team already lives in (like a SIEM or SOAR) so they can correlate threat signals from your backups with identity, endpoint, and email telemetry, accelerate triage, and tighten incident response workflows.
   
5. Recover confidently and quickly with clean backups:
   These native threat detection capabilities ensure that your mission-critical Microsoft 365 data is free of infections—a critical aspect of a clean recovery that ultimately reduces downtime. Cohesity alerts you and tags infected snapshots or backup objects so that you can avoid recovery from a malicious copy. The result? You can have confidence that a clean recovery is possible.

Best practices for threat scanning

Now that you know how to use our newest capabilities to secure your Microsoft 355 environment, here are some threat scanning best practices your teams can implement today.

1. Align and schedule scanning with risk and workload type. 

Start by classifying your Microsoft 365 workloads by business criticality and risk. For example, a possible classification could be:

• High risk: Executive mailboxes, finance and HR mailboxes, privileged user OneDrive instances, sensitive SharePoint sites (finance, legal, R&D, M&A)
• Medium risk: Departmental collaboration sites and team mailboxes
• Lower risk: Test areas, low-sensitivity collaboration spaces

Use these classifications to inform how often and deeply you scan. High-risk critical workloads should be scanned after a new backup is captured, or at some other high frequency. Medium and lower-risk workloads can be tuned to your SLA and storage profile. Another benefit of performing scans on secondary data is that users won’t see performance degradation. Their experience working in production environments is unaffected. 

2. Integrate secondary threat intelligence into incident response.

Threat intelligence from your data protection platform is a powerful “second opinion” alongside the telemetry from your endpoint, email, and network security tools. Seasoned security teams are increasingly treating findings from secondary data telemetry as crucial inputs into their cyber incident response process. You should consider the following integrations: 

• Embed Cohesity threat signals directly into your incident response playbooks. For example: “On confirmation of ransomware in Microsoft 365, trigger on-demand scans of impacted SharePoint sites and mailboxes for the last n days.” 
• Use scan results to quickly answer core IR questions: 
  • How long has this threat been present in our environment? 
  • Which users, mailboxes, sites, and files were affected? 
  • And perhaps most critically, which recovery points are known to be clean? 
• When new IOCs emerge during an investigation, push them into your scanning logic, so you can threat hunt across your secondary data based on the new findings. 

Threat intelligence findings from your secondary data are often cleaner and more complete. Why? Because it uses consistent, point-in-time copies of data—not live systems that are constantly changing and cannot be continuously scanned without disrupting users. In incident response scenarios, threat intelligence also helps security teams confirm what happened, narrow the blast radius, and directs them to known-safe recovery points.

3. Feed threat-scanning results into security tools.

Threat scanning on secondary data becomes exponentially more valuable when its output doesn’t live in a silo. Make sure your threat scan results from your data protection platform flow into the tools your security teams already live in. Forward alerts and findings into your SIEM so they can be correlated with endpoint, identity, and network events. For example, malware detection in a backup of an executive mailbox, correlated with anomalous sign-in activity and EDR alerts, paints a far clearer picture than any single signal alone.

Cyber resilience starts with clean, trusted recoveries

Threats targeting Microsoft 365 aren’t slowing down. While Microsoft may provide basic native security capabilities, the shared responsibility model means your data—and your cyber resilience—are ultimately your responsibility. It’s critical that organizations reduce risk and regularly scan secondary data as an additional line of defense that can also prevent reinfection during recovery.

Security and IT teams are asking more nuanced questions: from “can we recover?” to “can we recovery safely?” Consistently detecting and investigating threats across your secondary data estate is a core pillar of cyber resilience. With Cohesity, you're able to move from basic recovery to proven cyber resilience for your Microsoft 365 workloads and beyond.

Want to learn more? 

• Request a free trial
• Read product documentation (customers only)
• Watch a demo