Malware and ransomware protection in Microsoft 365

Protecting customer data from malware

Malware consists of viruses, spyware and other malicious software. Microsoft 365 includes protection mechanisms to prevent malware from being introduced into Microsoft 365 by a client or by a Microsoft 365 server. The use of anti-malware software is a principal mechanism for protection of Microsoft 365 assets from malicious software. The anti-malware software detects and prevents computer viruses, malware, rootkits, worms, and other malicious software from being introduced into any service systems. Anti-malware software provides both preventive and detective control over malicious software.

Each anti-malware solution in place tracks the version of the software and what signatures are running. The automatic download and application of signature updates at least daily from the vendor's virus definition site is centrally managed by the appropriate anti-malware tool for each service team. The following functions are centrally managed by the appropriate anti-malware tool on each endpoint for each service team:

  • Automatic scans of the environment
  • Periodic scans of the file system (at least weekly)
  • Real-time scans of files as they're downloaded, opened, or executed
  • Automatic download and application of signature updates at least daily from the vendor's virus definition site
  • Alerting, cleaning, and mitigation of detected malware

When anti-malware tools detect malware, they block the malware and generate an alert to Microsoft 365 service team personnel, Microsoft 365 Security, and/or the security and compliance team of the Microsoft organization that operates our datacenters. The receiving personnel initiate the incident response process. Incidents are tracked and resolved, and post-mortem analysis is performed.

Exchange Online Protection against malware

All email messages for Exchange Online travel through Exchange Online Protection (EOP), which quarantines and scans in real time all email and email attachments both entering and leaving the system for viruses and other malware. Administrators don't need to set up or maintain the filtering technologies; they're enabled by default. However, administrators can make company-specific filtering customizations using the Exchange admin center.

Using multiple anti-malware engines, EOP offers multilayered protection that's designed to catch all known malware. Messages transported through the service are scanned for malware (including viruses and spyware). If malware is detected, the message is deleted. Notifications may also be sent to senders or administrators when an infected message is deleted and not delivered. You can also choose to replace infected attachments with either default or custom messages that notify the recipients of the malware detection.

The following helps provide anti-malware protection:

  • Layered Defenses Against Malware - Multiple anti-malware scan engines used in EOP help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
  • Real-time Threat Response - During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat even before a definition is available from any of the engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
  • Fast Anti-Malware Definition Deployment - The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 is an email filtering service that provides additional protection against specific types of advanced threats, including malware and viruses. Exchange Online Protection currently uses a robust and layered anti-virus protection powered by multiple engines against known malware and viruses. Microsoft Defender for Office 365 extends this protection through a feature called Safe Attachments, which protects against unknown malware and viruses, and provides better zero-day protection to safeguard your messaging system. All messages and attachments that don't have a known virus/malware signature are routed to a special hypervisor environment, where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.

Exchange Online Protection also scans each message in transit in Microsoft 365 and provides time of delivery protection, blocking any malicious hyperlinks in a message. Attackers sometimes try to hide malicious URLs with seemingly safe links that are redirected to unsafe sites by a forwarding service after the message has been received. Safe Links proactively protects your users if they select such a link. That protection remains every time they select the link, and malicious links are dynamically blocked while good links are accessible.

Microsoft Defender for Office 365 also offers rich reporting and tracking capabilities, so you can gain critical insights into who is getting targeted in your organization and the category of attacks you're facing. Reporting and message tracing allows you to investigate messages that have been blocked due to an unknown virus or malware, while the URL trace capability allows you to track individual malicious links in the messages that have been clicked.

For more information about Microsoft Defender for Office 365, see Exchange Online Protection and Microsoft Defender for Office 365.

SharePoint Online and OneDrive for Business Protection Against Ransomware

There are many forms of ransomware attacks, but one of the most common forms is where a malicious individual encrypts a user's important files and then demands something from the user, such as money or information, in exchange for the key to decrypt them. Ransomware attacks are on the rise, particularly those that encrypt files that are stored in the user's cloud storage. For more information about ransomware, see the Microsoft Defender Security Intelligence site.

Versioning helps to protect SharePoint Online lists and SharePoint Online and OneDrive for Business libraries from some, but not all, of these types of ransomware attacks. Versioning is enabled by default in OneDrive for Business and SharePoint Online. Since versioning is enabled in SharePoint Online site lists, you can look at earlier versions and recover them, if necessary. That enables you to recover versions of items that pre-date their encryption by the ransomware. Some organizations also retain multiple versions of items in their lists for legal reasons or audit purposes.

SharePoint Online and OneDrive for Business Recycle Bins

SharePoint Online administrators can restore a deleted site collection by using the SharePoint Online admin center. SharePoint Online users have a Recycle Bin where deleted content is stored. They can access the Recycle Bin to recover deleted documents and lists, if they need to. Items in the Recycle Bin are retained for 93 days. The following data types are captured by the Recycle Bin:

  • Site collections
  • Sites
  • Lists
  • Libraries
  • Folders
  • List items
  • Documents
  • Web Part pages

Site customizations made through SharePoint Designer aren't captured by the Recycle Bin. For more information, see Restore deleted items from the site collection recycle bin. See also, Restore a deleted site collection.

Versioning doesn't protect against ransomware attacks that copy files, encrypt them, and then delete the original files. However, end-users can leverage the Recycle Bin to recover OneDrive for Business files after a ransomware attack occurs.

The following section goes into more detail on the defenses and controls Microsoft uses to mitigate the risk of cyberattack against your organization and its assets.

How Microsoft mitigates risks from a ransomware attack

Microsoft has built in defenses and controls it uses to mitigate the risks of a ransomware attack against your organization and its assets. Assets can be organized by domain with each domain having its own set of risk mitigations.

Domain 1: Tenant level controls

The first domain is the people that make up your organization and the infrastructure and services owned and controlled by your organization. The following features in Microsoft 365 are on by default, or can be configured, to help mitigate the risk and recover from a successful compromise of the assets in this domain.

Exchange Online

  • With single item recovery and mailbox retention, customers can recover items in a mailbox upon inadvertent or malicious premature deletion. Customers can roll back mail messages deleted within 14 days by default, configurable up to 30 days.

  • Additional customer configurations of these retention policies within the Exchange Online service allow for:

    • configurable retention to be applied (1 year/10 year+)
    • copy on write protection to be applied
    • the ability for the retention policy to be locked such that immutability can be achieved
  • Exchange Online Protection scans incoming email and attachments in real-time both entering and exiting the system. This is enabled by default and has filtering customizations available. Messages containing ransomware or other known or suspected malware are deleted. You can configure admins to receive notifications when this occurs.

SharePoint Online and OneDrive for Business Protection

SharePoint Online and OneDrive for Business Protection have built in features that help protect against ransomware attacks.

Versioning: As versioning retains a minimum of 500 versions of a file by default and can be configured to retain more, if the ransomware edits and encrypts a file, a previous version of the file can be recovered.

Recycle bin: If the ransomware creates a new encrypted copy of the file, and deletes the old file, customers have 93 days to restore it from the recycle bin.

Preservation Hold library: Files stored in SharePoint or OneDrive sites can be retained by applying retention settings. When a document with versions is subject to retention settings, versions get copied to the Preservation Hold library and exist as a separate item. If a user suspects their files have been compromised, they can investigate file changes by reviewing the retained copy. File Restore can then be used to recover files within the last 30 days.


Teams chats are stored within Exchange Online user mailboxes and files are stored in either SharePoint Online or OneDrive for Business. Microsoft Teams data is protected by the controls and recovery mechanisms available in these services.

Domain 2: Service level controls

The second domain is the people that make up Microsoft the organization, and the corporate infrastructure owned and controlled by Microsoft to execute the organizational functions of a business.

Microsoft's approach to securing its corporate estate is Zero Trust, implemented using our own products and services with defenses across our digital estate. You can find more details about the principles of Zero Trust here: Zero Trust Architecture.

Additional features in Microsoft 365 extend the risk mitigations available in domain 1 to further protect the assets in this domain.

SharePoint Online and OneDrive for Business Protection

Versioning: If ransomware encrypted a file in place, as an edit, the file can be recovered up to the initial file creation date using version history capabilities managed by Microsoft.

Recycle bin: If the ransomware created a new encrypted copy of the file, and deleted the old file, customers have 93 days to restore it from the recycle bin. After 93 days, there's a 14-day window where Microsoft can still recover the data. After this window, the data is permanently deleted.


The risk mitigations for Teams outlined in Domain 1 also apply to Domain 2.

Domain 3: Developers & service infrastructure

The third domain is the people who develop and operate the Microsoft 365 service, the code, and infrastructure that delivers the service, and the storage and processing of your data.

Microsoft investments that secure the Microsoft 365 platform and mitigate the risks in this domain focus on these areas:

  • Continuous assessment and validation of the security posture of the service
  • Building tools and architecture that protect the service from compromise
  • Building the capability to detect and respond to threats if an attack does occur

Continuous assessment and validation of the security posture

  • Microsoft mitigates the risks associated with the people who develop and operate the Microsoft 365 service using the principle of least privilege. This means access and permissions to resources are limited to only what is necessary to perform a needed task.
    • A Just-In-Time (JIT), Just-Enough-Access (JEA) model is used to provide Microsoft engineers with temporary privileges.
    • Engineers must submit a request for a specific task to acquire elevated privileges.
    • Requests are managed through Lockbox, which uses Azure role-based access control (RBAC) to limit the types of JIT elevation requests engineers can make.
  • In addition to the above, all Microsoft candidates are pre-screened prior to beginning employment at Microsoft. Employees who maintain Microsoft online services in the United States must undergo a Microsoft Cloud Background Check as a prerequisite for access to online services systems.
  • All Microsoft employees are required to complete basic security awareness training along with Standards of Business Conduct training.

Tools and architecture that protect the service

  • Microsoft's Security Development Lifecycle (SDL) focuses on developing secure software to improve application security and reduce vulnerabilities. For more information, see Security and Security development and operations overview.
  • Microsoft 365 restricts communication between different parts of the service infrastructure to only what is necessary to operate.
  • Network traffic is secured using extra network firewalls at boundary points to help detect, prevent, and mitigate network attacks.
  • Microsoft 365 services are architected to operate without engineers requiring access to customer data, unless explicitly requested and approved by the customer. For more information, see How does Microsoft collect and process customer data.

Detection and response capabilities

  • Microsoft 365 engages in continuous security monitoring of its systems to detect and respond to threats to Microsoft 365 Services.
  • Centralized logging collects and analyzes log events for activities that might indicate a security incident. Log data is analyzed as it gets uploaded to our alerting system and produces alerts in near real time.
  • Cloud-based tools allow us to respond rapidly to detected threats. These tools enable remediation using automatically triggered actions.
  • When automatic remediation isn't possible, alerts are sent to the appropriate on-call engineers, who are equipped with a set of tools that enable them to act in real time to mitigate detected threats.

Recover from a ransomware attack

For the steps to recover from a ransomware attack in Microsoft 365, see Recover from a ransomware attack in Microsoft 365.

Additional ransomware resources

Key information from Microsoft

Microsoft 365

Microsoft Defender XDR

Microsoft Azure

Microsoft Defender for Cloud Apps

Microsoft Security team blog posts