Ransomware Protection in Microsoft Office 365

Ransomware is an increasingly prevalent threat to company networks and data. New threats are emerging every day. That means that you need to protect your entire enterprise. Therefore, use tools meant to prevent, stop or mitigate ransomware attacks. Even more, failure to do so can prove lethal to your company’s mission.

Microsoft Office 365 has the tools you need to do all of that. Let’s take a closer look at the various programs that can help make your enterprise much more resilient.

Risks Associated With a Ransomware Attack

Ransomware can shut down your business and cripple your ability to operate until you comply with an attacker’s demands. Below are details on a few of the high profile ransomware cases in recent years:

Any company that uses email or any type of IT platform to operate is susceptible to phishing scams, network scans, and strategic website compromises. These are primary vectors for ransomware attacks. In fact, that’s why the systems you use must have elements meant to assist you in both response and preparedness.

Office 365’s End-to-End Protection Against Ransomware

A ransomware attack can have a debilitating effect on your business. In other words, it’s more important than ever to partner with the right IT service platform. Microsoft Office 365 has a comprehensive solution to all your security needs associated with ransomware.

Let’s walk through each stage of the process in which you’ll need protection and the services Microsoft’s Enterprise Mobility and Security suite can offer at each stage.

Online Safety and Protection for Ransomware

In terms of general online safety, the features outlined below are dealing with the “lowest-hanging fruit” of ransomware vulnerabilities. These are the easiest threats to pick off.

Windows Defender Protection protects every attachment received via Outlook. Specifically, every attachment received is first scanned for malicious code or malware. Let’s say for example you receive a Word document in an email. First, Microsoft creates virtual machines to run in the background. The attachment is executed on these virtual machines to determine if it’s an actual file created in Microsoft Word or if it has some sort of macro or malicious code written into it that will prove harmful to your PC.

If an attachment is unsafe, Windows Defender Protection will issue a warning. This stops users in their tracks to alert them that something isn’t quite right before they can proceed.

Regarding phishing emails, Microsoft’s Intelligent Security Graph enables Microsoft to maintain awareness of malicious websites. Visiting these sites will prompt a system-generated warning, disallowing you from continuing to browse the website.

Endpoint Server Protection for Ransomware

Microsoft Defender Advanced Threat Protection will provide you with access to a dashboard that lets you see the performance of all machines within your environment. If any of them have malware, you’ll be able to tell what type of malware as well as which machine is infected. This allows you to take action automatically by quarantining the infected machines.

Microsoft Defender Advanced Threat Protection has machine learning built in to tell you when someone in your environment is engaging in any activity they do not typically engage in. You can flag and stop any suspicious activity outside the norm. One example could be an attacker compromising your computer and attempting to copy your data. Since this isn’t a normal activity, the system would flag it immediately and allow you to intervene.

There are multiple tools available to assist with endpoint server protection, including:

  • Device Guard to halt the downloading and proliferation of malicious software on your network
  • Secure Boot to stop master boot record attacks
  • Windows 10 Kernel Hardening to limit attacks enacted through any old or unused protocols
  • Credential Guard to stop any credential theft
  • Controlled Folder Access to end the possibility of crypto-attacks

Microsoft Defender Advanced Threat Protection secures you across your entire enterprise.

Identity Protection

It’s important to be able to protect all users in your organization, but it’s especially critical to protect those users with elevated permissions in your environment. Individuals, such as system administrators, have more access and therefore would represent a higher security risk than a user with normal permissions if compromised. Exposing them to a security threat could have severe cascading impacts on your company’s network and machines.

Microsoft has a Secure Access Roadmap that helps protect your privileged access systems from attackers. Azure Information Protection also offers the ability to integrate multi-factor authentication into your systems. That means that after logging in, the system will prompt you to undergo a second verification to prove that it is you logging into the system. Having a second layer of authentication ensures your credentials aren’t stolen.

Another key capability in Azure’s suite of offerings? Azure Active Directory allows you to scan the dark web. If any accounts associated with you or your company are up for sale, you’ll receive a notification. That can stop any illicit transactions performed using your personal information. In fact, it brings your awareness to an issue you otherwise might not have realized.

Detect, Investigate, and Control

Another issue with ransomware attacks: when a computer is hit, all synced files in whatever cloud app platform you’re using will be compromised. Cloud App Security enables you to run a scan and stop the sync, stopping the spread of further damage.

With Microsoft Office 365’s Advanced Threat Analytics, you can detect any abnormal or suspicious behavior that may be coming from attackers. For example, if you click on a link in a phishing email and log in with your user name and password at your corporate site, you’ve exposed that information to the attacker. They could conceivably use it to log in to any business site or app on your behalf without your knowledge. Advanced Threat Analytics will flag that type of activity.

Business Continuity and Disaster Protection

working on a ransomware attack in the office

It’s crucial to have everything backed up if your data becomes compromised. Built-in redundancy is what helps you shed vulnerability in the event of a successful ransomware attack. With Azure Backup and Site Recovery, you can do just that.

Azure Backup and Restore allows you to backup data whether it’s a virtual machine, data in a sequel server, or contained in a separate location on or off-premises. This could be data located somewhere as simple as the C Drive on your PC. Let alone, when your data is backed up and stored in Azure, it’s in a safe location where you can retire or store the data based on your organization’s legal policies. If you need access, you can recover your data almost immediately.

Another feature that allows you to maintain continuity is OneDrive’s rollback feature. This allows you to click back from ransomware.

While being prepared for a ransomware attack is important, having a response plan in place is equally as integral to your business continuity. By the same token, you need a well-developed backup and recovery strategy in case an attack impacts sensitive data. Azure Backup and Site Recovery has the tools to play a key role in letting you maintain business continuity following an attack.

Microsoft Stack

To clarify, all of the aforementioned tools work well at various points throughout the process individually, but the key to prevention and management is taking a holistic approach to detection. With Microsoft Stack, you can maximize detection coverage throughout every stage of an attack. The Microsoft Stack includes:

  • Office 365 Advanced Threat Protection
  • Microsoft Defender Advanced Threat Protection
  • Advanced Threat Analytics/Azure Advanced Threat Protection

In fact, each of these products talks to one another, sharing information. Particularly, they all run code giving you full visibility across your entire ecosystem when it matters most: when you need to figure out how your network got compromised.

Microsoft Stack lets you perform the functions that mitigate damage, saving you time and money:

  • Patch your vulnerabilities
  • Perform your recovery
  • Return to normal business


Ransomware is not a threat to be taken lightly. In conclusion, Microsoft arms your organization with the precise tools needed to combat the threats associated with it. Specifically, when using Office 365’s comprehensive suite of security mechanisms combined with a detailed preparedness and response plan, you significantly inhibit the ability of malicious actors to hurt your organization.

To find out how to get the most out of Microsoft’s Enterprise Mobility and Security services, request a quote today.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

Don’t want to wait for us to get back to you?