Ransomware is one of the most dangerous and disruptive types of cyber threats we face today. Not only is it disruptive and costly for businesses, but it also causes massive disruption to the backbone of society. Here’s what happens and how to prevent ransomware in Microsoft 365 cloud.
Ransomware in 2025: A Cloud-Focused Crisis
Adoption of Microsoft 365 cloud brings productivity benefits to many organizations, but if not managed correctly, it also creates additional cybersecurity risks.
Microsoft reported a 275% year-on-year increase in ransomware attacks against customers in 2024. Analysis of incidents suggests that over half begin with phishing attacks, with an average ransom demand of $2.5 million.
Even if the victim doesn’t pay, ransomware attacks cost millions in downtime and losses. But despite the threat of ransomware attacks against the cloud, 9.8% of IT leaders believe Microsoft 365 can’t be hit.
Hospitals are often targets for ransomware groups, with attacks potentially putting patients in jeopardy. Meanwhile, recent ransomware attacks against UK retailers resulted in empty shelves for weeks.
Ransomware-as-a-service models enable even low-level cyber attackers to hold organizations to ransom and the increased use of cloud services allows attackers to more easily gain access to networks to encrypt files.
Entry Point: How the Attack Begins
Phishing emails are the most common entry point for ransomware, but there are other ways attackers can infiltrate cloud ecosystems.
Malicious Microsoft Teams Chats
Attackers can externally initiate Microsoft Teams chats with employees at an organization, taking advantage of how external domains are enabled by default to efficiently allow for legitimate Teams calls.
Social Engineering
Attackers are known to pose as IT support desks to convince employees that something is wrong, socially engineering them into sharing their screens or installing remote access tools. Attackers can also pose as employees to convince IT support teams that passwords need resetting. It’s believed this is how the attacks against UK retailers started.
Spread and Impact: The Cloud Turns Against You
With legitimate Microsoft 365 credentials, attackers have the same access to the cloud as a user. And as these accounts are viewed as legitimate by Microsoft 365, they aren’t identified as malicious. With access to Teams, SharePoint, and Microsoft 365 (ex Office 365) data in OneDrive, they can initiate the following:
Lateral Movement
Once inside your Microsoft 365 environment, attackers use legitimate credentials to move laterally across services and identities. With access to Exchange Online, SharePoint, Teams, and OneDrive, they escalate privileges, harvest tokens, and map your internal infrastructure all without triggering traditional endpoint alerts. Their goal is to reach high-value systems and sensitive data repositories, often blending in with normal user activity.
Data Manipulation
Attackers can exfiltrate, corrupt, or permanently delete business-critical files stored in OneDrive or SharePoint. Because they act under valid credentials, their activity may bypass Data Loss Prevention (DLP) rules and audit policies. Some attackers modify file versions or inject malicious macros into existing Office documents to extend the attack’s impact or prepare for future reinfection.
Ransomware Deployment
Once access is secured and critical data identified, attackers execute the ransomware payload. In Microsoft 365 environments, this often involves encrypting synced files in OneDrive or mapped SharePoint libraries. Because these services automatically sync changes, encrypted files may overwrite clean versions across multiple endpoints and cloud backups, making recovery far more complex.
Persistent Access
To maintain long-term control, attackers create hidden mail forwarding rules, register malicious OAuth apps, or provision new user and admin accounts. In some cases, they target existing backup integrations, including trusted third-party tools, to delete snapshots or disable backup jobs. These tactics allow them to return later, even after remediation efforts appear complete.
Native Microsoft 365 Protections: Not Enough
Microsoft Teams enables several counter-measures against threats like ransomware by default, but in the world of cybersecurity and data protection, these are merely a starting point.
Default External Access
Microsoft Teams, for example, enables external threats by default. You must manually disable the ability for users of external domains to contact your Teams users.
Vulnerable Features
Features in Exchange, OneDrive, and SharePoint, while beneficial for users, can also provide attackers with easy access points if not properly configured.
Limited Recovery
These systems do not provide a full backup software solution. Their built-in recovery tools only store deleted files for 30 to 90 days, leaving organizations vulnerable to permanent data loss without an independent backup software in place.
Financial Fallout
The reason ransomware remains such a significant threat is simple works. The ransom is paid in 16.3% of cases, up from 6.9%. But paying doesn’t guarantee a successful outcome. Ransomware attacks can lead to businesses permanently shutting down, with small businesses the most affected.
Checklist: Are You Ransomware-Ready?
Falling victim to ransomware isn’t inevitable, and using a layered defense strategy, you can significantly reduce your risk. Here’s a breakdown of how to achieve robust ransomware protection:
Backup and Recovery
Backup Microsoft 365 data externally
Use third-party tools like MSP360 Backup for Microsoft 365 to back up Exchange, OneDrive, SharePoint, and Teams. Microsoft retention is not a backup.
Get immutable, air-gapped backups
Store backups in tamper-proof and isolated environments to prevent encryption or deletion by ransomware.
Further reading Air-Gap Backups vs. Immutable Backups: Which Strategy Best Protects Your Data?
Run restore drills quarterly
Test your recovery plan to validate that it meets your RTO (Recovery Time Objective) and works cleanly under pressure.
Enable legal hold to preserve critical data
Lock down data needed for compliance, litigation, or investigation, even if a user deletes it.
Follow the 3-2-1-1-0 backup rule
Keep 3 copies of your data, on 2 different media types, with 1 offsite, 1 immutable or offline, and 0 recovery errors through regular restore testing.
Further reading The 3-2-1-1-0 Backup Rule: Extend Your Backup Security
Identity and Access Protection
Enforce MFA and block legacy authentication
Require Multi-Factor Authentication for all users and admins. Disable POP, IMAP, and other outdated protocols that bypass MFA.
Further reading Multi-Factor Authentication (MFA) as a Must-Have for MSPs
Apply least-privilege access principles
Grant only the minimum necessary access to reduce the blast radius if accounts are compromised.
Further reading Roles and Permissions in MSP360 Backup for Microsoft 365 and Google Workspace
Audit admin roles and app access regularly
Review high-privilege roles and integrations. Remove unused or unauthorized access paths.
Control third-party access and use conditional access policies
Limit OAuth app permissions. Require admin approval. Block risky access based on device, location, or risk score.
Endpoint and Device Security
Use advanced endpoint protection (EDR/XDR)
Detect, isolate, and contain ransomware behaviors on devices in real time.
Enable Attack Surface Reduction (ASR) in Office apps
Block risky content like macros, script execution, and child processes triggered from Office files.
Restrict software execution paths
Prevent ransomware from launching in common exploit folders (e.g., %TEMP%, %APPDATA%).
Control Remote Desktop Protocol (RDP)
Secure RDP with MFA and strong authentication.
Enable Mobile Device Management and control BYOD (Bring Your Own Device) access
Manage mobile devices and block access from unmanaged personal endpoints.
Further reading Understanding Endpoint Security
Email and Phishing Defense
Enable Microsoft Defender for Office 365 Advanced Threat Protection (ATP)
Use Safe Attachments, Safe Links, and Threat Intelligence to block malware and phishing.
Implement advanced phishing protection (DMARC, DKIM, SPF)
Authenticate your email domain to prevent spoofing and reduce phishing success.
Deliver ongoing phishing training, simulations, and reporting workflows
Educate users with regular training, simulated attacks, and easy-to-use reporting tools.
Tune spam filters and block dangerous file types
Harden anti-spam policies and block risky file types like .EXE, .ISO, .VBS, .PS1, and SCR not just via filters, but with transport rules and attachment policies.
Data Security and Classification
Apply data loss prevention (DLP) policies
Prevent sensitive data exfiltration in files, email, and chat.
Classify, protect, and encrypt sensitive content
Use Microsoft 365 sensitivity labels and encryption policies to apply watermarking, access restrictions, and more.
Enforce encryption for email and stored files
Ensure secure transmission and storage of sensitive data using native encryption capabilities.
Monitoring, Detection, and Response
Monitor for large data exports and abnormal activity
Detect bulk downloads, spikes in access, or anomalous user behavior.
Detect unusual activity and privilege misuse in real time
Set alerts for privilege escalation and abnormal file versioning or admin actions.
Integrate logs with Security Information and Event Management (SIEM) for real-time alerts
Forward Microsoft 365 logs to a SIEM for advanced correlation and threat detection.
Monitor with Microsoft Secure Score and Compliance Manager
Use these tools to track security posture and compliance gaps with actionable recommendations.
Platform Hardening and Preparedness
Keep Microsoft 365 and OS software up to date
Patch vulnerabilities before attackers exploit them.
Develop an incident response plan
Know who does what in a ransomware attack, including containment, legal, and comms steps.
Segment your network
Isolate departments or critical systems so ransomware can’t spread laterally.
Further reading Ransomware Protection for MSPs: How to Safeguard Your Clients’ Data
The Fix: Closing the Gaps
Ultimately, ransomware attacks against Microsoft 365 are preventable. Organizations should harden Teams, SharePoint, and Exchange configurations to prevent default access, along with disabling macros and restricting PowerShell access to prevent common persistence techniques.
Multi-factor authentication should be applied to accounts for additional defense against phishing attacks, while users should be trained to help spot phishing attempts.
Organizations should also deploy third-party backups like MSP360 Backup for Microsoft 365 to ensure daily, immutable, and instant file restoration, should the need arise.
Further reading Explore Microsoft 365 Best Practices for Data Protection in the Cloud
Conclusion on how to prevent ransomware in Microsoft 365
Ransomware attacks against Microsoft 365 are a major threat, but they aren’t an inevitability. By using the advice above, organizations can ensure they’re as protected against it as possible.
