Microsoft 365 adoption has been phenomenal with nearly 300 million users and over 50% in subscriber growth over the past two years alone. Unfortunately, Microsoft 365 isn’t the only thing that’s been growing — ransomware attacks have been on the rise as well and is the top cyberthreat according to Secureworks while Cybersecurity Ventures expects payouts to reach a staggering $1.75 trillion by 2025.

So is Microsoft 365 data completely protected from ransomware? The short answer is NO. First off, it is important to understand that Microsoft 365 users must follow a shared responsibility model when managing and protecting their own data. This means it’s your responsibility to protect your data from ransomware using data backup and other techniques. But first, let’s take a look at what protections Microsoft 365 does offer.

Built-in Protections in Microsoft 365

Microsoft 365 does have some built-in retention and versioning capabilities that help you retain data after deletion or modification, but they are not backups. Since ransomware attacks and encrypts file data, let’s look at the protections provided by OneDrive and Sharepoint Online which retain deleted items for 93 days by default. But only OneDrive specifically offers the ability to recover back to a point in time up to 30 days. This may seem okay, but ransomware can infect and then hide itself for weeks or months before launching an attack. More importantly, versioning provided by OneDrive and Sharepoint are not suitable to recover from ransomware because recovery needs happen from a specific point in time on the entire data set and not individual files to ensure the data is clean from ransomware infection.

Vulnerabilities and Ransomware Targeting

Even with basic versioning and retention there are multiple ways cybercriminals can target Microsoft 365 with ransomware. Let’s take a look at some examples below.


Remember those emails from a wealthy prince promising your millions of dollars if you respond? Well things haven’t changed much today in the age of ransomware. As witnessed from the ransomware attack on Merseyrail, the most common attack vector to gain access to your systems is through email — including M365 Exchange Online emails, and is also referred to as Business Email Compromise. This includes phishing emails where a user is tricked into entering their username, password, or other personal information or by email attachments/weblinks that contain infectious malware that activate when clicked on. That is why even OneDrive and Sharepoint files are at higher risk to be encrypted. Backup protection for your entire M365 suite including Exchange Online emails should always be part of the plan.


Data encryption has also been the first and core tactic of a ransomware attack. Cybercriminals encrypt your data and demand a ransom to get the encryption key to decrypt and free your data. Although we have not seen any large-scale encryption attacks directly on Microsoft 365 that have been publicized, it doesn’t mean it hasn’t happened or that you are safe. OneDrive and Sharepoint Online data can be encrypted in several ways, e.g. infected files are synced from a user machine to OneDrive or Sharepoint, or directly from a server that encrypts and syncs files at a large scale.

Theft and Exfiltration

Most recently, ransomware has not only encrypted files, but also steals sensitive and confidential information such as credit card numbers or personally identifiable information (PII) and threatens to leak the information publicly or sell it on the dark web to further extort a ransom payment from their victims. Also known as Ransomware Double Extortion, this is most likely the biggest threat to your M365 data. With M365 and other SaaS apps providing easy online access and simple sharing controls, it makes it very easy for cybercriminals to access data undetected with compromised credentials and steal and exfiltrate sensitive data.

Multilayered M365 Ransomware Protection with Cohesity

Cohesity’s suite of next-gen data management products and comprehensive Threat Defense data security architecture provides multiple layers of protection from ransomware to safeguard your M365 and other data. It is designed to enable you to recover production data that’s been encrypted, the ability to ensure your backup data itself can not be attacked, and the ability to detect user behaviors anomalies and threats that may be indicators of data exfiltration.

Fast and Flexible Recovery

Whether you are recovering from a ransomware attack or finding the right files that have archived away for years (beyond the standard retention provided by M365), you want a backup solution that can recover data from any point in time and can do it fast. Cohesity DataProtect delivered as a Service provides comprehensive backup for M365 services including Exchange Online, OneDrive, Sharepoint Online, Teams, and Groups so you can back up and retain data to meet your business needs and compliance requirements, while providing large scale and granular recovery when you need it.

Immutable Backups

Not only do cybercriminals go after your production data, but many also try to encrypt or delete your backups to disable your ability to recover your production data after an attack. With Cohesity DataProtect delivered as a Service, you can rest assured your backup data is safe. Backup data is stored with immutability, meaning it can not be tampered with, altered, or deleted during your user-defined retention period, keeping it safe from ransomware.

User Anomaly Detection

With data exfiltration and theft on the rise — we understand that backup and recovery are not enough to stop or minimize the blast radius of ransomware. We are designing Cohesity DataGovern to provide data governance and anomaly detection so you can identify your most sensitive data using machine learning and behavior analytics to detect potential threats from abnormal user behaviors such as data overexposure and sharing or unauthorized access and downloads of sensitive data that can be indicators of an attack in progress. And planned integrations with leading Security Orchestration, Automation, and Response tools will help you respond and remediate the situation quickly.

Get Started with Cohesity

With Cohesity it’s easy to get started. You can sign up today for a 30 day free trial of DataProtect delivered as a Service and start backing up your Microsoft 365 data in minutes. Also, you can get early access to DataGovern to classify and protect your sensitive data on Microsoft 365 by signing up for Preview.

You May Also Like


The Practitioners Guide to Protecting M365 Workloads with Backup as a Service (BaaS)

Learn more

The Business Email Compromise (BEC) M365 Exchange Online Reality Check

Learn more
Icon ionic ios-globe

You are now leaving the German section of and come to an English section of the site. Please click if you want to continue.

Don't show this warning again