Examine how attackers delete data from your tenant

Completed

Data deletion occurs when an attacker deletes your data, usually in a way that makes recovery difficult, if not impossible. A variant of this type of attack includes ransomware. With ransomware, an attacker compromises the network, encrypts data, and then demands a payment to get the key to decrypt the data. This threat can result in data deletion since a successful extraction of payment often leads to more targeting by the attacker.

Various data deletion goals motivate attackers, including:

  • Covering the tracks of an attack.
  • Attempting to do irreparable harm to your business.
  • Trying to spite you or your employees.

Diagram showing a key with the word ransomware transcribed over top of it.

Preventing data deletion

Here are a few ways cyber attackers could potentially delete data from a Microsoft 365 tenant:

  • Compromise an administrator account through phishing or password guessing to gain access, then delete data.
  • Exploit a vulnerability in an integrated app to gain unauthorized access.
  • Trick end users into accidentally deleting data themselves through phishing emails containing malicious links or attachments.
  • Use ransomware that encrypts and deletes files.
  • Steal user credentials through phishing or malware and use them to sign-in and delete data.
  • Delete data directly if they already have access to a user account that has permissions to delete data.

Organizations typically focus their initial data protection mechanisms on preventing account breaches and elevation of privilege. They should then enhance their core prevention strategy by ensuring they have sufficient redundancies built into their data management processes to minimize the impact of data deletion.

Microsoft automatically backs up Microsoft 365 data and makes it redundant for maximum availability by the service. However, it’s still possible for an attacker to delete data from SharePoint sites and recycle bins, making it almost impossible to recover. Given this threat, it’s critical that you employ a process for backing up critical data to offline stores that you know how to restore.

Organizations should consider implementing the following best practices to help prevent attackers from deleting data in Microsoft 365:

  • Multifactor authentication. Enable Microsoft Entra multifactor authentication (MFA) for all user accounts, especially administrators. MFA prevents attackers from easily accessing accounts even if they steal passwords.
  • Role-based access controls. Use role-based access controls to limit who has permissions to delete data. Only provide delete permissions when truly needed.
  • Alert notifications and monitoring. Set up alerts and monitoring to detect suspicious sign-ins or data deletion activity. Act quickly to suspend accounts if compromised.
  • Data backup to offline storage. Frequently back up critical data to offline storage not accessible from online accounts. This practice also provides data recovery capabilities.
  • Data encryption. Encrypt sensitive data at rest and in transit for an added layer of protection.
  • Security updates. Keep all software up-to-date with the latest security patches. Cybercriminals exploit vulnerabilities.
  • Security tools. Use security tools like Microsoft Defender for Office 365 to detect and block malware and phishing attempts.
  • User training. Educate employees on cybersecurity best practices to avoid falling victim to phishing and social engineering.
  • Data labeling. Classify and label data so sensitive information stands out. Extra precautions can be applied.
  • Incident response plan. Develop an incident response plan for data breaches and practice it. Incident response plans facilitate rapid responses to cyber attacks.
  • Access termination. Carefully review permissions and access for departing employees and terminate their sessions/tokens.

The key to data protection is layering multiple preventative and detective controls to create an in-depth defense against malicious data deletion.

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

As the Microsoft 365 Administrator for Lucerne Publishing, Inc., Holly Dickson is concerned about the recent data deletion attacks against the company. To address these attacks, Holly wants to focus Lucerne's initial data protection mechanisms on preventing account breaches and elevation of privilege. If a data deletion attack is still successful, which of the following strategies can Holly use to minimize the impact of the attack?