Ransomware in Microsoft 365 and Azure (2025): how to prevent, detect and recover with strong guarantees

Big picture: how attacks work and where to defend

The typical attack chain starts with phishing, leaked credentials or abuse of exposed services (RDP, VPN without MFA). Then comes privilege escalation (token theft, pass-the-hash), persistence (scheduled tasks, malicious OAuth apps), security control disablement and, finally, encryption and exfiltration.

Each proposed control is placed to break that chain. For example, MFA drastically reduces the value of leaked credentials; ASR and Controlled Folder Access prevent silent execution and encryption; Defender for Storage detects malicious payloads directly in the data plane; and immutable backups ensure controlled recovery even if everything else fails. Understanding this “why” lets you prioritise investments with real impact.

• Avoid intrusion: Safe Links/Attachments, MFA and blocking legacy authentication reduce entry via mail and credentials.
• Limit damage: ASR in block mode, Controlled Folder Access, network segmentation and Private Endpoints contain the reach and speed of the attack.
• Guarantee return to normal: tested immutable copies remove the attacker’s leverage and minimise downtime.

Before the incident: prevention and hardening

Preventive decisions determine the possible “damage ceiling”. Below is a detailed list of what to do and why each measure changes the risk profile.

Identity and access (Microsoft Entra ID)

• MFA for all accounts. Why: most confirmed intrusions start with valid credentials. Requiring a second factor invalidates password sprays, phishing and leaked passwords. For service accounts, modern methods (FIDO2, certificates) avoid reusable SMS/TOTP.
• Conditional Access. Why: applying conditions based on risk, location or device state enforces a “healthy context” before touching sensitive data. This stops an actor from using a credential from an unusual country or an unprotected device.
• PIM (just-in-time). Why: reducing the time with elevated privileges limits the window for abuse; each elevation leaves a trail, requires a justification and, if desired, approval. This slows down lateral movement and the disabling of defenses.
• OAuth application hygiene. Why: an app with Mail.ReadWrite or Files.ReadWrite.All allows exfiltration without using passwords. Reviewing and revoking excessive permissions cuts off a silent lane for data theft.

Mail and collaboration (Defender for Office 365)

• Safe Attachments. Why: detonates attachments in an isolated environment before delivery; “dynamic delivery” avoids noticeable delays while maintaining security.
• Safe Links. Why: rewrites URLs and evaluates them at click-time; protects against delayed activation (sites that become malicious after the email is sent).
• Anti-phishing with impersonation protection. Why: attackers imitate domains and VIPs; impersonation policies reduce the success rate of fraud targeting critical accounts.
• DMARC/DKIM/SPF. Why: authenticating the sender prevents external spoofing that pretends to be your own domain; it helps filter spoofing and protects reputation.

Endpoint (Defender for Endpoint + Intune)

• ASR in block mode. Why: blocks common vectors (macros, malicious WMI, LOLbins) before the attacker gains a foothold.
• Controlled Folder Access. Why: prevents untrusted processes from encrypting working paths; it is the “seat belt” when something manages to execute.
• Patching + LAPS + EPM. Why: closing known vulnerabilities reduces exploits; LAPS avoids reused local admin passwords; EPM replaces “make user an admin” with controlled elevations, cutting off escalation.
• Baselines/Settings Catalog. Why: homogeneous configuration reduces gaps and conflicts; it facilitates auditing and rollback.

Azure and workloads

• Defender for Cloud. Why: identifies weak configurations and prioritises them by impact; the secure score correlates with the likelihood of an incident.
• Defender for Storage. Why: many attacks upload/delete files directly in storage accounts; this plane does not traverse server-side antivirus.
• Azure Policy. Why: moving from “recommend” to “enforce” (deny/evaluate) prevents the creation of vulnerable assets by default (no TLS, no logs, no encryption).
• Network segmentation and Private Endpoints. Why: reduces Internet-exposed surface and lateral movement; limits the attacker’s mobility.

Backup and retention

• Azure Backup + Immutable Vault. Why: protects against attacks that try to delete backups; the immutable state prevents malicious changes in retention.
• Blob WORM + versioning. Why: neutralises data deletion/tampering; guarantees a recoverable version even if the attacker has elevated operational permissions.
• Microsoft 365 Backup. Why: speeds up large-scale restores; in major incidents, performance is the difference between hours or days of downtime.
• Retention in Purview. Why: preserves critical records/files against intentional deletion, useful for investigation and compliance.

During the incident: containment, investigation and communication

The goal is to stop malicious activity without destroying evidence and without impacting the business more than necessary.

Immediate containment

• Automatic Attack Disruption. Why: automates the first containment steps (isolate host, limit accounts) in minutes; time is critical to avoid massive encryption.
• Revoke sessions and force password change. Why: invalidating active tokens cuts off access without waiting for policy propagation; it reduces cookie/session-based persistence.
• Network control. Why: closing ports and suspicious outbound traffic breaks C2 and exfiltration; it helps stop encryption from reaching new targets.

Coordinated investigation

• Defender XDR. Why: correlates identity, mail, endpoint and cloud; avoids fragmented analysis that misses causal relationships.
• Sentinel + KQL. Why: repeatable, traceable queries; allows you to find “patient zero” and quantify the scope.
• Centralised IOCs. Why: firmly blocking across all controls prevents re-contamination through variants of the same indicator.

Communication and coordination

• Small crisis team. Why: less noise, faster decisions; actions are documented in an auditable channel.
• Clear internal messaging. Why: avoids contradictory measures; prepares the business for temporary degradation.

After the incident: recovery and continuous improvement

• Clean restoration from verified points. Why: restoring from a contaminated point re-introduces the attacker; validating with antimalware analysis and integrity hash checks lowers that risk.
• Secret rotation. Why: assume that keys/passwords may have leaked; rotating them invalidates backdoors and compromised automations.
• Actionable post-mortem. Why: turning findings into tasks with owners and due dates; continuous improvement helps avoid recurrence.
• Additional hardening. Why: raising the bar (global ASR, stricter Conditional Access) neutralises observed techniques and reduces future attack surface.

Microsoft 365: mail, files, detection and recovery

Exchange Online, SharePoint and OneDrive

Why these actions: mail is the most common attack vector and OneDrive/SharePoint host critical documents. Securing inbound and having versioning/restores available avoids “irrecoverable loss” and reduces downtime.

• Safe Links/Attachments and full coverage. Why: without gaps by OU or group, attackers cannot “aim” at less protected segments.
• High versioning and retention. Why: ensures enough rollback points even with massive changes; attackers often “touch everything” to exhaust versions.
• OneDrive Restore and Microsoft 365 Backup. Why: the former covers individual accounts; the latter orchestrates large-scale restores with reasonable SLAs.
• DLP and sensitivity labels. Why: slows down secondary exfiltration (when the attacker tries to extract data after getting in).

Endpoint: Defender for Endpoint, ASR and Controlled Folder Access

Why these actions: ransomware needs to execute on the endpoint to encrypt; stopping execution and access to valuable folders neutralises the impact even if someone has already clicked.

• ASR + EDR in block mode. Why: blocks known obfuscation and payload delivery paths; reduces dependence on signatures.
• Controlled Folder Access. Why: most valuable data sits in Documents/Desktop/Projects; protecting these paths prevents automated encryption.
• Minimal exclusions. Why: every exclusion is a doorway; periodic review avoids “temporary exceptions” staying open forever.

Azure: posture, network, storage and immutable backup

Posture and detection

Why: many intrusions escalate into the cloud to encrypt mounted shares or exfiltrate from PaaS services. Defender for Cloud and Defender for Storage detect anomalous patterns without relying on the guest OS.

Network and attack surface

• NSG/ASG + Azure Firewall. Why: separating by function and controlling egress prevents servers being used as pivots and C2 relays.
• Private Endpoints. Why: removing PaaS from the public Internet forces governed internal transit; less surface for scanning/abuse.
• JIT for RDP/SSH. Why: exposes access only when needed and from specific IPs; reduces exploitation of open services.

Backup and immutable storage

• Immutable Vault. Why: even with a compromised privileged account, the policy cannot be shortened or removed; this is the last line of defense.
• WORM + versioning + change feed. Why: guarantees traceability and tamper-proof recovery points; very useful during audits.

Backup and resilience: Microsoft 365 Backup, Azure Backup and immutable Blob

Why these actions: without verified immutable copies, the attacker has leverage to extort. With them, the conversation shifts from “whether we can come back” to “how long it will take us to come back”.

• RPO/RTO per service. Why: sets expectations and budget; if a service can tolerate four hours of data loss, hot replication is not required.
• Regular testing. Why: the only real evidence that you can restore is actually restoring; tests also reveal hidden dependencies (credentials, DNS, certificates).
• Restoration catalogue. Why: avoids improvisation; every service has a clear path and owners on the crisis day.

Response and orchestration: Defender XDR, Sentinel and access revocation

Why these actions: coordination and automation shorten the damage window; revoking access removes persistence; documenting decisions reduces legal risk.

• Correlated incidents. Why: avoids losing the causal thread (one email led to a process that touched a share and exfiltrated to a domain).
• Automated playbooks. Why: repeatable actions with no human error (IoC blocking, isolation, tickets) executed in seconds.
• Systematic revocation. Why: persistent tokens and OAuth apps survive password changes; revoking sessions and permissions cuts off that path.

Actionable checklists (1h / 4h / 24h)

First hour: stabilise

• Crisis team and secure channel. Why: reduces noise and avoids leakage of sensitive information.
• Automatic containment in XDR; isolate critical devices. Why: immediately cut off encryption and C2.
• Revoke sessions and pause suspicious automations. Why: close active persistence mechanisms.

Four hours: size and cut off

• Block IOCs and prepare selective restores. Why: prevent reinfection and quickly recover key areas.
• Verify immutable vaults and recent restore points. Why: confirm that a safe recovery path exists.

24 hours: recover and communicate

• Restore prioritised services and validate integrity. Why: return to production without carrying malware forward.
• Communicate based on verified facts. Why: controlled transparency reduces reputational and legal impact.
• Eradication/hardening plan. Why: close the gaps that enabled the incident.

Evidence and audit

Why: in severe incidents, the ability to prove due care and control lowers fines, improves policy coverage and speeds up return to normal.

• Export of key policies and configurations. Why: proves that controls were in place.
• Incident log with timeline and actions. Why: demonstrates the speed and rationale of the response.
• Records of drills and recovery tests. Why: shows that you are not improvising.
• Inventory of exceptions with expiry dates. Why: prevents temporary backdoors from staying open.

Frequently asked questions about ransomware in Microsoft 365 and Azure

Clear answers to common questions raised in security and business continuity committees.

Official links

• Safe Attachments — Defender for Office 365
• Safe Links — Defender for Office 365
• Attack Surface Reduction — overview and rules reference
• Controlled Folder Access
• Restore your OneDrive and Ransomware detection in OneDrive
• Microsoft 365 Backup — architecture
• Azure Backup — Soft Delete and Immutable Vault
• Azure Blob — immutable storage (WORM)
• Defender for Storage — malware scanning
• Automatic Attack Disruption (Defender XDR)
• Revoke user access (Entra ID)
• Ransomware protection — Microsoft compliance guidance

Conclusion and next steps

Ransomware defense in Microsoft 365 and Azure works when every action responds to a clear “why”: strong identity to eliminate credential theft, secure mail to filter the main entry path, hardened endpoints to stop execution, governed cloud to close default gaps, immutable copies to guarantee recovery, and orchestrated response to win minutes. With metrics and evidence, security stops being an abstract cost and becomes measurable operational continuity.