Ransomware attacks on Microsoft 365 are an escalating reality. Despite Microsoft’s significant investment in layered defenses, attackers continue to evolve—finding new ways to exploit cloud-based collaboration.
As organizations increasingly rely on Microsoft 365 for productivity, it has become a high-value target. While built-in security and recovery tools form an important first line of defense, they aren’t designed to cover every scenario. Gaps in retention, versioning, and recovery highlight why independent, immutable backup remains essential for complete resilience.
Understanding ransomware in the cloud
When most IT teams think of “ransomware,” they imagine compromised laptops or on-premises servers. But ransomware can just as easily encrypt or delete data stored in Microsoft 365.
Here’s how it often happens:
- A user opens a malicious attachment or link, and ransomware encrypts files on their device. If OneDrive or SharePoint sync is enabled, those encrypted files quickly propagate to the cloud.
- Attackers may bypass endpoints entirely by stealing Microsoft 365 credentials. With account access, they can encrypt or delete data in OneDrive, SharePoint, Teams, or Exchange—and even manipulate version settings to erase recovery options.
- Many modern campaigns also employ double extortion tactics, stealing data and threatening exposure to pressure victims into making a payment.
The takeaway: storing files in Microsoft 365 doesn’t guarantee protection. Pairing Microsoft’s native security controls with independent, immutable backup is the only way to ensure full ransomware resilience.
Yes, ransomware really targets Microsoft 365
Real-world incidents continue to prove that Microsoft 365 environments are vulnerable.
One example involves the version history exploit, in which attackers adjust a OneDrive or SharePoint library’s version limit to a single version. By encrypting files twice, they effectively overwrite the last clean copy, leaving no usable restore point. Microsoft has acknowledged that when version history settings are reduced or abused in this way, file recovery can be extremely limited—and manual recovery through Support may only be possible within 14 days.
Microsoft’s own threat data shows that human-operated ransomware remains a leading risk, with most incidents originating from unmanaged or personal devices. Attackers have also shifted toward collaboration platforms, impersonating helpdesk staff in Teams or Slack to trick users into sharing MFA tokens or resetting passwords. Groups like Scattered Spider have used these tactics in high-profile campaigns across industries, including retail, insurance, and travel.
Additionally, recent SharePoint vulnerability campaigns have demonstrated how quickly attackers weaponize newly disclosed flaws, even when targeting on-premise systems. While SharePoint Online was not affected, these events underscore the fact that threat actors continuously adapt to exploit both cloud and hybrid environments.
Microsoft 365’s built-in ransomware protections
Microsoft provides several effective built-in tools to help limit ransomware damage:
File versioning
SharePoint and OneDrive can save up to 500 versions of each file by default, allowing rollback to a clean copy. However, versioning only helps if clean versions remain within that history. Long-dwelling or slow-moving ransomware can silently overwrite multiple versions, erasing the recovery window.
Recycle bins and recovery windows
Deleted files are retained for 93 days by default across Microsoft 365. After that period, Microsoft maintains an additional 14-day recovery window accessible through Support. This safety net is helpful but limited—restores often affect entire sites rather than specific files.
OneDrive and SharePoint restore tools
The “Restore your OneDrive” and “Restore this library” options can revert accounts or document libraries up to 30 days. These tools are useful for smaller incidents but can be misused by attackers with account access, who might roll systems back to compromised states or hide their activity.
Exchange Online protection
Exchange Online includes retention holds, recoverable items folders, and anti-malware scanning that collectively protect against email-based ransomware. These features are effective when properly configured, but recovery still depends on timely detection.
Advanced threat protection
Microsoft Defender for Office 365 can identify mass file edits or suspicious patterns and automatically block malicious processes. These are powerful tools for prevention, but don’t guarantee recovery once encryption occurs.
Retention policies
Admins can apply retention rules that preserve content in hidden “Preservation Hold” libraries. This is valuable for compliance and long-term protection, but it requires prior setup and isn’t designed for rapid restore during an active attack.
Why native tools aren’t enough
While Microsoft’s capabilities offer strong baseline protection, they weren’t built to deliver complete ransomware recovery.
- Limited timeframes: Version history, recycle bins, and restore tools have defined retention limits, ranging from 30 to 93 days. Slow-burn ransomware infections can exceed these periods, erasing clean data before discovery.
- All-or-nothing recovery: Support-assisted restores often rebuild entire sites, not individual files, increasing downtime and complexity.
- Performance bottlenecks: Restoring large libraries (100GB+) can take hours or days, which is unacceptable during a major outage.
- Account compromise: If attackers gain administrative access, they can tamper with retention settings, version history, or restore tools, leaving no reliable restore path.
These realities make a strong case for maintaining independent backups that operate outside Microsoft 365’s administrative and retention boundaries.
Why independent backups are essential
Independent backups close the recovery gaps that Microsoft’s native tools can’t address.
Avoid ransom payments
With isolated, clean copies, you can recover data on your own terms—without paying for decryption keys that often don’t work.
Faster, more reliable recovery
Industry data shows average ransomware downtime approaching a month. Purpose-built backup solutions reduce that to hours by allowing precise, selective restores.
Long-term retention
Third-party backups store snapshots far beyond Microsoft’s 30–93-day limits, enabling recovery from infections that spread over time.
Immutable, isolated copies
Backups stored on separate, write-once or logically air-gapped infrastructure remain safe even if attackers compromise Microsoft 365 accounts.
Granular restoration
Unlike bulk site restores, dedicated backup platforms allow selective recovery—from a single file or email to entire workloads—minimizing disruption.
Compliance readiness
Independent backups help meet data governance and regulatory requirements for long-term data retention and provable recoverability.
CrashPlan’s Microsoft 365 ransomware recovery
CrashPlan provides enterprise-grade protection for Microsoft 365, featuring architecture designed for security, speed, and reliability. It combines continuous protection, zero-trust principles, and ransomware-resistant storage to ensure resilience in modern hybrid environments.
Continuous, immutable protection
CrashPlan continuously backs up data across OneDrive, SharePoint, and Exchange. Unlimited version history allows rollbacks to the exact point before compromise.
Direct restoration into Microsoft 365
Through native integration, clean files and messages are restored directly into the appropriate Microsoft 365 locations—minimizing downtime and ensuring business continuity.
Prioritized recovery
CrashPlan intelligently restores the most recent and frequently used data first, helping essential teams resume work quickly while full restoration continues in the background.
Automated, reliable operation
Backups run automatically without user action or VPN connection, ensuring every user has a current restore point—even during off-hours attacks.
Secure, segmented storage
Each user’s backup data is stored independently and encrypted end-to-end, preventing cross-contamination and maintaining confidentiality.
Cloud-native, ransomware-resistant architecture
CrashPlan’s storage design uses encrypted data blocks rather than open files, making backup data immutable and logically isolated from attacks—even if administrative credentials are compromised.
Together, these capabilities form a ransomware recovery platform purpose-built for Microsoft 365.
Conclusion: Strengthen your Microsoft 365 resilience
Cloud productivity delivers flexibility and efficiency, but not automatic data safety. As attackers continue to evolve, organizations must combine strong security practices with reliable recovery strategies.
Protecting Microsoft 365 data means:
- Understanding the threat: Ransomware can affect files, mailboxes, and entire accounts.
- Using Microsoft’s security features: MFA, phishing protection, and monitoring are essential first layers.
- Implementing independent backup: The only proven safeguard that ensures fast, clean recovery after an attack.
CrashPlan helps organizations strengthen defenses, maintain continuity, and recover Microsoft 365 data with confidence, so ransomware never dictates the terms of business recovery.
About the Author
© 2025 CrashPlan® All rights reserved.
Privacy | Legal | Cookie Notice | Free Trial