The threat landscape is constantly evolving and bouncing back from it requires a clear understanding of what you are up against. This Microsoft 365 ransomware recovery guide covers how ransomware actually moves through a Microsoft 365 tenant, what Microsoft's native recovery can and can't do, how to contain an attack in progress, and how independent backup changes the outcome.
Microsoft reported a 275% year-on-year increase in human-operated ransomware against its customers across July 2023 to June 2024. In the 2025 Microsoft Digital Defense Report, over 52% of cyberattacks with a known motivation were driven by extortion and ransomware – the largest single category. The victim count is climbing with it: Emsisoft tracked a rise from roughly 5,400 claimed victims in 2023 to more than 8,000 in 2025. And it pays – by Rapid7's count, ransomware revenue grew almost 40% in Q1 2026 alone.
Two misconceptions make this worse. The first is that Microsoft 365 is somehow immune because Microsoft runs it. The second is a misread of the shared responsibility model: Microsoft keeps the platform online, but your data is yours to protect.
Microsoft 365 Ransomware Recovery in SaaS Environments
Traditional ransomware breaks into a server. SaaS ransomware signs into your tenant with a stolen password and uses it exactly as your users do – same logins, same permissions. Nothing looks wrong until the files are already encrypted or deleted.
Microsoft 365 has two characteristics that shape its specific exposure.
The first is depth. Whatever happens on a connected device flows into M365 – if ransomware encrypts files in a local OneDrive or SharePoint folder, the sync client treats them as normal edits and pushes them up to the cloud.
The second is breadth. Exchange, SharePoint, Teams, and OneDrive aren't really separate products – they're one surface behind a single identity, so one compromised login reaches all of them. Teams looks like the exception but isn't: its chats sit in Exchange mailboxes and its files in SharePoint and OneDrive, so compromising Teams means compromising those.
Adding insult to injury: downtime halts billable work, a breach involving personal data puts you on the hook with regulators, and the recovery itself drags on because encrypted files have already synced across the tenant. The numbers back it up – only 14% of IT leaders say they could recover critical SaaS data within minutes, and downtime can run past $300,000 an hour. The global average breach now runs $4.44 million, per IBM's Cost of a Data Breach Report 2025.
How Ransomware Attacks Work in Microsoft 365
Initial Access Methods
Phishing is still the front door. From there, attackers reuse a short list of reliable moves, covered in detail in how to prevent ransomware in Microsoft 365, but briefly:
- Phishing emails that harvest credentials or drop a payload. Exchange Online processes a vast share of business email, which makes it the most reliable delivery channel attackers have.
- External Teams chats, since Microsoft enables communication with external domains by default – a channel most users don't think of as an attack surface.
- Consent phishing. A user approves a malicious app's permission request and hands over a working OAuth token – no password stolen, and nothing for MFA to block on later sign-ins.
- Social engineering, posing as a user to force a password reset, or as IT to talk someone into installing a remote access tool.
Once the attacker has a valid login, the platform treats them as a legitimate user. They move across Exchange, SharePoint, Teams, and OneDrive without tripping the alarms that a malware drop would.
How Encryption Spreads in the Cloud
Encryption reaches Microsoft 365 through two routes. The first starts on a synced endpoint: ransomware encrypts files in a local OneDrive or SharePoint folder, the sync client treats them as legitimate edits, and it uploads them to the cloud, where they overwrite clean versions and sync down to every other connected device.
The second route runs directly in the cloud. An attacker with stolen credentials or a compromised OAuth token uses Microsoft's own APIs to modify files at scale – overwriting content, creating encrypted copies, deleting files, and stripping older versions to shrink your recovery options. Mass deletion and repeated overwrites can be as damaging as encryption: even with versioning on, an attacker can generate enough malicious versions to push the last clean copy out of the recovery window.
What Microsoft's Native Protection Does – and Where It Falls Short
Microsoft 365 isn't defenseless. Worth knowing exactly what it actually does. SharePoint and OneDrive keep at least 500 file versions by default. So if ransomware encrypts a file in place, you can roll it back. If it deletes the original and leaves an encrypted copy sitting there, you've got 93 days to pull it from the recycle bin, and Microsoft can still recover it for another 14 days after that. Exchange Online Protection scans mail as it lands. Files Restore can rewind a whole OneDrive to any point in the last month.
Here's the problem, though. All of that was built for small, accidental loss – not somebody actively trying to destroy your data. Two gaps make it obvious. Files Restore only covers OneDrive and SharePoint. Not Exchange. So if email is what gets hit, there's no one-click way to roll it back. And an attacker who gets admin access can just delete the versions, change retention settings, strip out recovery points – whatever it takes to make sure there's nothing left to restore from. Microsoft itself recommends backing up your data, which says something.
Microsoft 365 Ransomware Recovery Steps
Isolate the Incident Immediately after a ransomware attack
Containment comes before investigation, because every minute the attack runs is more encrypted data. Microsoft's own incident-response guidance is the same: stop the spread first.
- Disable the compromised account in Entra ID and reset its password, admins included. This blocks new sign-ins and revokes password-based tokens.
- Revoke active sessions and tokens. A reset doesn't kill every token type on its own – revoking sessions is the one action that invalidates all of them, so the attacker can't keep a live session running.
- Revoke malicious OAuth app grants. Disabling an account doesn't touch a third-party app the attacker authorized – that consent stays live until you revoke it.
- Pause OneDrive and SharePoint sync clients. Sync is how local encryption reaches the cloud; pausing it stops infected devices from pushing encrypted versions up before you've cleaned them.
- Disconnect infected endpoints from the network without shutting them down, so they can still be examined.
Identify the Scope
Containment and investigation run in parallel – isolate what you've found while you keep looking for what you haven't.
- Which users are affected – cross-reference Entra ID sign-in logs for unfamiliar locations and impossible-travel patterns, not just the accounts that reported a problem.
- Which workloads are hit – Exchange, SharePoint, OneDrive, and Teams can each be affected independently.
- Whether encryption is still spreading – an unpaused sync client or a live session means the count is still climbing.
- Whether data was exfiltrated, not just encrypted – with data theft the motive in over a third of M365 incidents, this may be a disclosure problem too.
Preserve Evidence of the Ransomware
Do this before you start cleaning up, not after – a malware scan or account reset can wipe the records you'll need later. Export the audit logs first: Microsoft keeps them 180 days by default, longer for Exchange, SharePoint, OneDrive, and Entra ID activity on higher-tier licenses. Then grab the Defender and Entra ID alerts that show when the account or device was first flagged, and pull endpoint telemetry off the affected machines before anything overwrites it.
Assess Recovery Options
Check options in the right order. Native version history and the recycle bin are fastest, but only help if the damage is recent enough to fall inside the window. Retention policies tell you how far back recoverable data actually goes. Immutable backups, if you have them, are the one option an attacker with admin access couldn't have touched, so they take priority. Whatever you choose, confirm the recovery point predates the attack – a backup taken after it started just restores the encrypted state.
Restore Data Safely
Do not restore blind. Restore from the most recent clean snapshot, not the most recent one by default. Validate recovered files before returning them to users – a file that looks intact can still carry a dormant payload if encryption was incomplete. Prioritize business-critical workloads first: get Exchange and the systems clients depend on back before restoring everything else in parallel.
Strengthen Security After Recovery
Close the gap that let the attack in, highest-leverage fix first. MFA blocks more than 99.2% of account-compromise attempts, per Microsoft – so start there, because what got you here was very likely an account without it. Then tighten conditional access so a stolen credential isn't enough on its own, enforce least privilege so one account can't reach everything, and make backups immutable so your recovery copy can't be hit next time.
How Backup Mitigates Ransomware in Microsoft 365
Backup is the difference between recovering and negotiating. Clean, independent copies let you restore to a point before infection – and cover the everyday case too: the accidental deletion native retention aged out months ago.
Immutable Storage
Object Lock applies WORM – write once, read many – so backup data can be read and restored but never altered or deleted while the lock holds. An attacker who reaches Global Admin can tamper with native recovery points; an immutable copy outside the tenant is the one they can't.
Point-in-Time and Versioned Recovery
Point-in-time recovery restores the whole environment to how it looked at a chosen moment – everything as it was before the attack, in one consistent state. Versioning adds depth: it keeps multiple historical copies of each file, so even a single document can be rolled back to a clean version without touching anything else.
Independent Storage
A copy that shares no credentials, network path, or admin console with your tenant survives the one scenario native tools can't: an attacker with full tenant access. Native recovery lives on the same platform it's meant to protect – this doesn't.
Granular Restore
Recover a single mailbox, OneDrive file, or SharePoint item without rolling the whole organization back. This is where Microsoft 365 Backup is weakest: its restore is tenant-wide. Granular restore solves the someone problem, not just the everyone problem.
How MSP360 Backup Helps Protect Microsoft 365
Independent Cloud-to-Cloud Backup
MSP360 Backup for Microsoft 365 keeps a separate copy of your data outside the platform it protects, covering all core components – Exchange Online, OneDrive, SharePoint, and Teams. The live tenant goes down or gets encrypted; the backup doesn't know or care.
Coverage Where Microsoft's Restore Stops
Microsoft's Files Restore doesn't roll back Exchange mailboxes. MSP360 backs up Exchange Online with full item-level restore, so a ransomware or destructive attack on email – the gap in native tooling – has a clean recovery path. Mailbox items, OneDrive files, contacts, calendars, and SharePoint files all restore individually, in a few clicks, to the original account or a different one.
Flexible Storage Architecture
Bring Your Own Cloud (BYOC) supports AWS, Wasabi, Backblaze B2, Azure, or any S3-compatible target. That ownership is what cuts long-term Microsoft 365 cost – you tier and price your own storage instead of paying a vendor's bundled rate – and it's the same ownership that keeps your recovery copy out of the attacker's reach, governed by you, not sitting in a black box. Object Lock adds immutability on top, so even a copy an attacker reaches can't be altered or deleted.
Security and Access Controls
Role-based access, MFA support, encryption in transit and at rest, and backup monitoring with alerts keep the backup itself from becoming the easier target. Permissions go down to the individual task, so the people who can run a restore aren't necessarily the people who can change what's protected.
Recovery Simplicity and Scale
One web-based console, one restore workflow, and for MSPs centralized multi-tenant management across every client domain – so a restore happens from a single place. Custom retention policies and audit logs keep the whole thing compliant with GDPR and HIPAA.
Further reading Best Microsoft 365 Backup Solutions
Microsoft 365 Ransomware Recovery Guide in One Page
Ransomware in Microsoft 365 is identity-driven, fast, and built to outrun the platform's own recovery tools. One compromised Entra ID account can reach Exchange, SharePoint, OneDrive, and Teams at once, and native retention buys a short window for honest mistakes without surviving an attacker who deletes versions and overwrites clean copies through sync. Files Restore doesn't even cover email. Containment limits the spread; only an independent, immutable backup guarantees a point you can actually return to.
MSP360 offers a SaaS Backup solution that is built for exactly that – an independent, immutable copy in storage you control, with granular restore that reaches the single mailbox or file Microsoft's tenant-wide rollback can't. That is what Microsoft 365 ransomware recovery comes down to in practice: the organizations back online fastest are the ones who'd made it a backup problem long before it became a security one.
