Microsoft 365 Ransomware Protection: Safeguarding Your Office 365 Environment

If you’ve been following the Alcion blog over the past couple of months, you’ll know that Niraj Tolia, Alcion’s CEO, and I have explored the increasingly blurred lines between data protection and cyber-security. In Niraj’s blog post, he outlined Alcion’s thesis – that the overwhelming majority of data outages are likely to be caused by cyberattacks – and my previous article gives you a sense about the true cost of a breach by walking through a real-world case study. The bottom line is that ransomware represents a credible, high-severity threat to every business using Microsoft 365 (Office 365), irrespective of the business size or sector, and its capabilities are ever-evolving.

Why Microsoft 365 is a Ransomware Target

Microsoft 365 has become an increasingly attractive target for ransomware attacks due to several factors.

• Microsoft 365 acts as a centralized data hub that houses vast amounts of critical business data making Exchange Online, SharePoint Online, and the rest of the services prime targets for sophisticated Office 365 ransomware attacks.
• The diverse set of applications provides multiple entry points for cybercriminals, increasing the attack surface and potential vulnerabilities.
• Its widespread adoption and cloud-based nature make it a high-value target, with millions of users and organizations relying on its services daily.
• Ransomware attackers often target backup data first, exploiting weaknesses in traditional backup strategies and leaving organizations vulnerable to data loss.
• A breach in one area can quickly spread across the integrated Microsoft 365 ecosystem, potentially compromising multiple services and user accounts simultaneously.

A recent market survey on ransomware trends revealed alarming statistics:

• 93% of cyberattacks target backup data first, highlighting the importance of robust backup protection.
• 75% of organizations report losing at least some of their backup data during a cyberattack, emphasizing the need for more secure backup solutions.
• 39% of affected organizations report a total loss of backup data, underscoring the devastating impact of successful ransomware attacks.

These factors, combined with evolving ransomware tactics, make Microsoft 365 a prime target for cybercriminals seeking to exploit the platform's widespread use and interconnected nature.

How Ransomware Threatens Microsoft 365 Environments

Microsoft 365's ubiquity makes it both a victim and an unwitting accomplice in ransomware propagation across SharePoint Online, Exchange Online and other cloud applications posing significant challenges for Office 365 ransomware protection. Here's how:

Email / Phishing Attacks

Exchange Online is a prime vector for ransomware delivery through sophisticated phishing emails. Advanced ransomware strains often bypass standard email filters, exploiting user trust in seemingly legitimate messages. Attackers may use social engineering tactics to craft convincing emails that appear to come from trusted sources, increasing the likelihood of users clicking on malicious links or downloading infected attachments.

Infected Endpoints

Ransomware can infect devices that access your M365 data, creating a bridge between local machines and cloud storage. When an infected device syncs with OneDrive or SharePoint, the ransomware can spread and encrypt those files stored in the cloud. This syncing process can happen silently in the background, potentially infecting large amounts of data before detection occurs.

Credential Harvesting

Once inside a network, ransomware can exploit stored credentials to move laterally across the M365 ecosystem. This technique allows attackers to gain unauthorized access to additional user accounts, services, and data repositories within the organization. Compromised admin credentials can be particularly dangerous, potentially giving attackers broad access to sensitive information and system controls.

Collaboration Tools

Teams and SharePoint sites can become inadvertent distribution channels for malicious files. As users share documents and collaborate on projects, infected files can spread quickly throughout an organization. The trust users place in internal sharing platforms can lower their guard against potential threats, making it easier for ransomware to propagate.

Data Exfiltration

Modern ransomware attacks often combine encryption with data theft. Attackers may exfiltrate sensitive information from Microsoft 365 services before encrypting it, adding another layer of pressure on organizations to pay the ransom to prevent data leaks.

For a more comprehensive analysis of why backing up Microsoft 365 data is critical, including insights on ransomware threats and other data loss scenarios, read our in-depth article on the reasons to backup Microsoft 365.

Microsoft 365 incorporates several built-in mechanisms designed to protect against ransomware threats. While these features provide a foundation for data security, Microsoft acknowledges their limitations by recommending additional third-party backup and recovery solutions.

Alcion for instance is focused on building a data protection solution for the modern age – in addition to our cloud-native architecture, Alcion’s platform leverages artificial intelligence in multiple components of the product, from intelligent backups to compliance scoring to ransomware detection. But what separates us from other data protection services (and other startups with “.ai” domains) is that we’ve built these AI models not just to pay lip-service to this exciting new technology trend, but to help solve the problem that we obsess over – protecting our customers’ mission-critical data.  

Let's explore M365 native protections:

Versioning

SharePoint and OneDrive automatically retain multiple versions of files, with a default minimum of 500 versions per file. This feature allows users to restore previous, unencrypted versions if a file falls victim to ransomware encryption. However, versioning has limitations:

• It doesn't protect against deletion of entire files or folders
• Versions can be overwritten if an attacker gains prolonged access
• Large files or frequent changes can quickly consume storage quotas

Recycle Bin Restore

When ransomware deletes files from SharePoint or OneDrive, users have a 93-day window to restore them from the recycle bin. After this period, Microsoft offers an additional 14-day recovery window. Limitations include:

• Reliance on users or admins to notice and act on deletions promptly
• Potential for attackers to empty the recycle bin, shortening the recovery window
• No protection against file encryption or corruption

File Restore

Microsoft 365 provides self-service recovery for SharePoint and OneDrive, enabling point-in-time restores within the previous 14 or 30 days, depending on configuration. Considerations for this feature:

• Limited historical reach may not cover long-dormant ransomware
• Requires users to identify the exact time of infection for effective restoration
• Can be complex for non-technical users to navigate

Exchange Online Protection (EOP)

EOP acts as a first line of defense, filtering incoming emails to intercept potential ransomware-laden messages. However:

• Sophisticated phishing attempts can still bypass filters
• It doesn't protect against internal spread of ransomware
• Effectiveness depends on up-to-date threat intelligence

Microsoft Defender for Office 365

This advanced threat protection service provides enhanced email and collaboration tool security. Considerations include:

• Requires additional licensing for full feature set
• Continuous updates needed to combat evolving threats
• May generate false positives, impacting productivity

Data Loss Prevention (DLP)

DLP policies help prevent sensitive information from being improperly accessed or shared, potentially mitigating ransomware risks. Limitations include:

• Complex setup and maintenance required for effective policies
• Can impact user productivity if overly restrictive
• May not prevent all types of data exfiltration

What Alcion Does to Enhance Microsoft 365 Ransomware Protection

Alcion’s composable architecture has been purpose-built for AI-driven data protection workflows, allowing allowed us to efficiently implement fine-grained ransomware detection techniques that our larger legacy competitors have claimed were unfeasible or, frankly, impossible.

Before going to the technical details, here's how Alcion addresses the limitations of M365’s built-in features and offers comprehensive protection:

• Intelligent Backup Scheduling: Alcion uses AI to dynamically adjust backup frequencies, ensuring critical data is protected when it's most vulnerable.
• Extended Recovery Windows: Alcion extends data recovery capabilities beyond Microsoft's limited timeframes, offering long-term retention and granular restore options.
• Automated Threat Detection: Alcion's advanced algorithms continuously monitor for signs of ransomware activity across all Microsoft 365 services, providing early warning and rapid response capabilities.
• Immutable Backup Storage: Alcion stores backups in a way that prevents tampering or deletion, even if ransomware gains admin-level access to your Microsoft 365 environment.
• Cross-Service Protection: While native tools often focus on individual services, Alcion provides holistic protection across the entire Microsoft 365 ecosystem, detecting threats that might slip through single-service defenses.
• Simplified Recovery Process: Alcion streamlines the restore process, making it easy for admins to recover data without the complexity of point-in-time searches or service-specific procedures.
• Integration with External Security Tools: Alcion enhances its threat detection capabilities by integrating with Microsoft Defender, providing a more comprehensive security posture.

Let’s explore Alcion’s composable architecture

The above enhancements address the gaps in Microsoft 365's native protections, offering a robust defense against even the most sophisticated ransomware attacks. But what sets Alcion apart is its innovative approach to ransomware detection and prevention.

Our ransomware detection algorithm is built on the following five pillars, each of which will be discussed in detail below:

• Multivariate observations for unsupervised learning
• Per-user threat detection models
• Ensemble methods
• Continuous learning
• XDR integration

Multivariate Observations for Unsupervised Learning

Alcion uses anomaly detection models to detect ransomware in customer’s environments. Anomaly detection refers to a family of unsupervised machine learning algorithms that learn what's "normal" within a given data set or system and then alert on deviations from this norm. The unsupervised nature of these models was particularly important to address the cold start problem. Specifically, it enables Alcion to offer AI-driven ransomware detection without having a corpus of pre-aggregated training data.

Alcion’s anomaly detection models are considered “multivariate” because they’re designed to process observations which consist of multiple signals. Alcion publishes one observation for each backed-up file and, by collecting multiple signals for each file, we’re able to detect attacks from a wide range of ransomware strains. This is non-trivial because . For example, some ransomware strains encrypt the entirety of the file content so that the victim can’t salvage any unencrypted content, while others only encrypt a portion of the file content so that they can expedite the attack process. Lockbit falls into the latter category and Splunk cybersecurity researchers observed this strain to be capable of encrypting over 98,000 files, totaling 53 GB, in less than 5 minutes because it only encrypts 4KB of each file.

We spent months doing research and analysis on a diverse set of ransomware strains. Using these findings, we identified a set of signals which are highly representative of ransomware-encrypted files and built a system to feed these inputs to our anomaly detection models. This feature engineering was arguably the most important part of the project because a model is only as good as the data. But that’s only one aspect to the “secret sauce” – another differentiator here is that Alcion collects a multivariate observation for each file on every backup. This breaks through the industry consensus which, as recently as 2022, held that it was prohibitively inefficient to collect signals at this granularity and frequency. This gives Alcion a leg-up in detecting ransomware attacks which are programmed to encrypt only a subset of available data. These attacks are no-less severe because, as the same Splunk cybersecurity researchers noted, “the catastrophic apex may be when a single critical file is encrypted.”

Per-User Threat Detection Models

Consider the following scenario: ACME corporation is a financial consulting firm that has 75 employees, of which 5 are executives. There is a targeted ransomware attack against just the executive team that works with critical client and business data. If multivariate observations were to be collected from all 75 users and fed into a single anomaly detection model, the performance would be underwhelming because the patterns in file-related activity differ greatly between the 75 employees. This skews the aggregate model’s perception of “normal” such that it’s less likely to raise an alarm.

Instead, we’ll achieve the most accurate inference results with separate anomaly detection models for each user, where each model is trained on the file-related activity trends which are specific for that user. This informed our decision to have each model assigned to a specific user – each model is trained only on data collected from that assigned user’s backups. As a result, the threat inferences are tailored to that user. The same technique is also applied to other distinct resources, such as individual SharePoint sites, that contain data at risk of ransomware.

By training our models at the most granular level, the user, our ransomware detection feature is also able to detect anomalies quicker. Early detection is of utmost importance when it comes to cyber-attacks – the sooner admins are alerted to an attack, the sooner they can isolate the infected systems and protect any remaining unencrypted data. This, in turn, reduces the leverage of the bad actor.

Furthermore, this design ensures that data is never shared between tenants.

Ensemble Methods

To the best of our knowledge, Alcion is the first enterprise data protection service to offer ransomware insights at resource-level granularity. But we took it one step further and implemented “ensemble methods” for each resource, meaning that each inference result published to the customer is actually a combination of results from many models. Each model in the ensemble analyzes the likelihood of threat for a specific ransomware attack profile. For instance, certain models are refined to account for the speed at which data is encrypted (remember the Lockbit example from above). Meanwhile, other models are optimized to detect ransomware attacks based on the encryption approach – some strains encrypt the data in-place while other strains delete the original file and replace it with a new file containing the encrypted content. These are just a few examples of the domain-specific knowledge that’s been encoded into our models.

In summary, we’ve designed our ransomware detection feature so that our customers get threat insights tailored to each protected resource and each of the distinct ransomware attack profiles that have been compiled by cybersecurity experts at Alcion.

Continuous Learning

Even though the variance in observations is greatly reduced by our resource-scoped models, trends in file-related activity for a resource can evolve over time. For example, we would expect to see new file-access patterns when a user changes roles or onboards to a new project. To account for this, we’ve built our models to support continuous learning (also referred to as “online learning”) so that stale observations are automatically pruned and replaced with fresh observations. This is different from traditional machine learning models where training and inference are discrete processes – once a model is deployed, it can’t learn from new observations, it can only make inferences on them. In the best-case scenario, new versions of the model are being trained on incoming observations, but end-users don’t benefit from these improvements until the new version is deployed.

It’s helpful to compare these model architectures through the lens of software deployment frameworks (continuous deployments vs. versioned deployments) – with the continuous deployment framework, customers benefit from improvements and fixes in real time. We believe that the ability to adapt in real-time to changes in file-related activity patterns is a key differentiator for Alcion’s ransomware detection capabilities.

Note that this continuous learning capability has been refined so that Alcion is still able to detect ransomware attacks that encrypt data at a slower rate. Traditionally, ransomware attacks try to encrypt data as quickly as possible, but this slow-moving approach could be used to avoid other ransomware detection alarms based on resource consumption (e.g., CPU utilization or network I/O).

XDR Integration

In the previous sections, we walked through the architecture of Alcion’s custom-built, AI-driven ransomware detection feature. While our anomaly detection models boast industry-leading detection capabilities, we’ve augmented this offering with insights from Microsoft Defender. Specifically, Alcion will check for ransomware-related signals from Microsoft Defender and seamlessly integrate any relevant data into our system so that Alcion customers can see all alerts in one place.

Our XDR integration also allows us to benefit from detected attacks impacting other parts of a customer’s IT infrastructure (e.g., employee laptops or cloud VMs). Apart from being able to leverage these signals in our AI models, they also allow us to trigger proactive backups to capture clean data before the attack spreads further.

Results

We tested our ransomware threat detection against a number of prevalent ransomware strains. As an example, the above results show the effectiveness of Alcion’s ransomware detection algorithms against the Bad Rabbit ransomware strain on a variety of different file types and file sizes. The green dotted line represents the threshold which separates ransomware-encrypted files (represented by red dots) from non-ransomware-encrypted files (represented by blue dots).

Summary

As an emerging leader in the Microsoft 365 malware protection space, Alcion found itself in a unique position to be able to redesign ransomware detection from the ground up. Rather than settling for industry parity, we invested heavily in in-house research and development. As a result, we’ve been able to incorporate findings from the frontier of cybersecurity research and build artificial intelligence models that yield insights with unprecedented granularity.

Don't let your organization become the next ransomware headline. Equip yourself with a defense mechanism that's been purpose-built to combat today's threats and anticipate tomorrow's. Let Alcion's AI-driven platform be your first line of defense against ransomware – you can try Alcion for free! The trial runs for 14 days, and no credit card is required. If you have questions or need support, find us on Discord or contact us via our support page.