Can ransomware attack Microsoft 365?

April 18, 2021

Topics: SaaS Backup 4 minute read

Gone are the days when ransomware was a problem only for on-premises systems. Today, even cloud applications are prone to new strains of ransomware. These new strains are available in the form of ransomware as a service (RaaS) and ransomware kits, which can be purchased easily on the dark web. Attackers can use them with little or no technical knowledge.

Microsoft 365, being the leading messaging and collaboration software, is a primary target for ransomware attacks. Although Microsoft has employed robust cloud security measures, the software isn’t completely ransomware-proof. WannaCry and Cerber ransomware attacks proved this point. WannaCry ransomware affected more than 200,000 Windows machines in 150 countries, damaging billions of dollars across multiple organizations. Cerber ransomware hit millions of Microsoft 365 users through phishing emails.

How can ransomware infect Microsoft 365?

Ransomware can infect Microsoft 365 through two main entry points:

  • A malicious attachment or a link is sent to the user through email. Clicking the link or opening the attachment activates the ransomware.
  • System vulnerability. A malicious network packet is sent to the user’s system, activating the ransomware.

Attacking OneDrive and SharePoint

Ransomware can infect OneDrive for Business and SharePoint Online by infecting the files on a user’s local machine. The ransomware gains access to machines through a OneDrive for Business connection or a mapped drive to a SharePoint Online library. When the user’s local files are infected, they’re synchronized online through the sync client tool. Another infection method is to gain direct access to Microsoft 365 through a successful phishing attack, encrypting the entire OneDrive or SharePoint library.

OneDrive for Business and SharePoint Online have some built-in ransomware protection in the form of versioning. But some ransomware strains are intelligent enough to tamper with the version history by modifying the files. So, without a proper backup solution like NetApp® SaaS Backup, your OneDrive and SharePoint data could still be vulnerable to ransomware.

Attacking Exchange Online

Picture556 Many people believe that Exchange Online is immune to ransomware. But Kevin Mitnick described an attack on Microsoft 365 that showed how ransomware can encrypt Microsoft 365 Exchange Online emails. The attack comes in the form of a simple phishing email. The email looks legitimate and appears to have originated from a trusted source such as Microsoft, as shown here. 

This email contains a permission request by a malicious application, which the user can easily overlook, because the application looks like it originated from Microsoft. When the user accepts the permission, the malicious application gains access to Microsoft 365, particularly the user’s Exchange Online environment. After the application has access, it can encrypt entire emails in the user’s mailbox. Although Microsoft has some built-in security measures to prevent such attacks, they can’t prevent user errors, the major reason for all ransomware attacks. Without a backup solution like SaaS Backup, it would be hard to recover your data without the ransom being paid.

Protect your Microsoft 365 data from ransomware: Adopt NetApp SaaS Backup today

NetApp SaaS Backup helps you recover your Microsoft 365 data immediately if a ransomware attack occurs. With automated daily backups and point-in-time, one-click granular restore capabilities, SaaS Backup can help you revert your Microsoft 365 back to its state just before the attack.

Tips to recover from a ransomware attack

How would you know whether you’ve been attacked by ransomware? You’d receive an email from the attacker asking for a ransom in the form of Bitcoin. Or you might figure it out when all your emails or files are encrypted and are in a nonusable format. Here’s what to do if you’re attacked:

  • Disable all your synchronization services—like the OneDrive sync client or SharePoint mapped drive—from all the systems.
  • Do not delete, edit, or rename the affected files; let them be.
  • Restore the data from SaaS Backup to its state just before the attack.
  • Use the synchronization services on a fresh system. Before using the services on the affected system, reimage that system so that no trace of the malware still exists.

Learn more about SaaS Backup

NetApp SaaS Backup is a secure, encrypted cloud-native software-as-a-service (SaaS) offering that protects your mission-critical Microsoft 365 data so that you can recover it if it’s deleted accidentally or maliciously. Protect Exchange Online, SharePoint Online, OneDrive for Business, Microsoft 365 Groups, Microsoft Teams, and OneNote with a user-friendly interface. Take advantage of unlimited data retention for backup and retain complete control of your data. With features like granular recovery and single-click restore, SaaS Backup makes your data easy to access when you need it. To learn more, visit the NetApp SaaS Backup page.

Technical Marketing Engineer