Most of us are familiar with Microsoft 365 (M365), an ecosystem that includes an entire workplace suite of applications such as; collaboration tools, email, cloud storage and much more. As attacks continue to plague businesses of all sizes, it’s not only natural to ask where the risks might lie within M365, but also prudent.

If you use M365 and don’t understand or take advantage of the security tools within this ecosystem, your business runs the risk of being exposed to ransomware attacks. The bottom line with ransomware today is that you will be targeted, regardless of your size or turnover, it’s a matter of when not if. Jump straight to our tips for prevention.

In this piece we look at some of the areas in M365 that cyber criminals could gain access to, and some ransomware prevention steps to improve the security status of your M365.

M365 Ransomware Threat Surface

Phishing emails

Cyber criminals craft and send very convincing emails that can get even the most vigilant of users to disclose their application login information, or inadvertently download malicious files as attachments. These phishing emails are one of the ways attacks can infiltrate a network and without sufficient controls in place, can result in a damaging ransomware attack.

Directory Synchronisation  

It’s common for a company to synchronise Active Directory accounts to their Office 365 tenancy, which will include their administrator accounts.

If an administrator gets phished, the attacker will gain admin access to your M365 or Azure instance, meaning they can delete, exfiltrate or encrypt your data and demand a ransom.

Make sure privileged accounts can’t be abused, and make sure you have the relevant alerts turned on for all admin-level functions. This is available within the product when set-up correctly.

SharePoint Online   

When one local machine gets infected by ransomware, it’s not good, but it’s not game over. The real headaches begin when ransomware infects multiple hosts through lateral movement, eventually leading to a complete business shutdown.

An attacker could compromise a single local workstation and upload a malicious file to SharePoint. If users interact with this file, perhaps as an attachment to an email or a link shared within Teams, more and more workstations become infected and ransomware begins to take hold.

M365 Ransomware Prevention Tips

However, it’s not all bad news, with guidance from JT’s experts we can help. Thankfully M365 has built-in tools to protect against ransomware, but it’s important to know how to configure them to suit your business.

Here are some tips you can implement to help prevent ransomware attacks through M365:

Protect endpoints with detection and response (EDR) software: End-user devices, such as laptops, must be protected with a dedicated EDR solution. Embedded within M365 is Windows Defender, which uses an AI-driven approach to detect anomalies that could indicate a compromise.

Restrict access rights: This security principle helps protect
against a situation where someone compromises an account with excessive privileges and manages to propagate ransomware throughout your network.

Use Multifactor Authentication: Users are the weakest link in your company’s security defences, so you need to protect them with authentication controls. MFA requests an additional layer of verification beyond a user’s login credentials before letting people log in or perform specific actions.

Implement conditional access: Conditional access lets you set controls that only allow access from trusted IP ranges or specific countries. If your people are based in four countries, a login attempt from a new part of the world would be blocked.

Backup your M365 data: As outlined in our blog on SaaS backup, Microsoft operates a shared responsibility model, which means they guarantee the uptime of your platform but are not responsible for your data – this is for you to back-up and manage. Backing up M365 is available through third-party providers.