Microsoft 365 is the ultimate platform for sharing data, collaborating, and communicating with people inside and outside your organization. With more than a million companies worldwide using the Microsoft cloud, it’s important to protect your organization against ransomware. Unfortunately, no matter how careful you are, you can still fall victim to ransomware through emails, attachments and links. Ransomware is big business, and the attacks have gotten very sophisticated.

In this post, we outline Microsoft’s recommended best practices to protect and recover from a ransomware attack. These steps apply to:

Microsoft Defender for Office 365 helps safeguard organizations against malicious threats posed by email messages, links (URLs) and collaboration tools. Learn more about Microsoft Defender for Office 365.

Step 1: Verify your backups

If you have offline backups, you can probably restore encrypted data after you’ve removed the ransomware payload (malware) from your environment.

If you don’t have backups, or if your backups were also affected by the ransomware, you can skip this step.

As a reminder, Microsoft does not back up your email, SharePoint, Teams, or other components of Office 365. We recommend you implement a backup solution for data recovery in case of a ransomware attack.

Step 2: Disable Exchange ActiveSync and OneDrive sync

The key point here is to stop the spread of data encryption by ransomware.

If you suspect your email has been the target of ransomware encryption, temporarily disable user access to mailboxes. Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes.

To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync for users in Exchange Online.

To disable other types of access to a mailbox, see:

Pausing OneDrive sync will help prevent your cloud data from being updated by potentially infected devices. For more information, see How to Pause and Resume sync in OneDrive.

Step 3: Remove the malware from the affected devices

Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that’s associated with the ransomware.

Don’t forget to scan devices that are synchronizing data, or the targets of mapped network drives.

You can use Windows Defender or (for older clients) Microsoft Security Essentials.

Alternately, the Malicious Software Removal Tool (MSRT) will also help remove ransomware or malware.

If these options don’t work, you can also try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.

Step 4: Recover files on a cleaned computer or device

After you’ve completed the previous step to remove the ransomware payload from your environment (which will prevent the ransomware from encrypting or removing your files), you can use File History in Windows 10 and Windows 8.1, or System Protection in Windows 7, to attempt the recovery of your local files and folders.


  • Some ransomware will also encrypt or delete backed up versions, so you can’t use File History or System Protection to restore files. If that happens, you need to use backups from external drives or devices that were not affected by the ransomware, or OneDrive as described in the next section.
  • If a folder is synchronized to OneDrive and you aren’t using the latest version of Windows, there may be some limitations using File History.

Looking to simplify Office 365/Microsoft 365 management, improve security, and reduce operating and licensing costs? Start using the Inscape platform for free! Over 1,000 companies are using Inscape to get valuable time back.

Step 5: Recover your files in your OneDrive for Business

Files Restore in OneDrive for Business will allow you to restore your entire OneDrive to a previous point in time within the last 30 days. For more information, see Restore your OneDrive.

Step 6: Recover deleted email

In the rare case that ransomware has deleted all your email, you can probably recover the deleted items. For more information, see:

Step 7: Re-enable Exchange ActiveSync and OneDrive sync

After you’ve cleaned your computers and devices, and recovered your data, you can re-enable Exchange ActiveSync and OneDrive sync, which were previously disabled (in Step 2).

(Optional) Step 8: Block OneDrive sync for specific file extensions

After you’ve recovered, you can take steps to prevent OneDrive for Business clients from synchronizing the file types that were affected by ransomware. For more information, see Set-SPOTenantSyncClientRestriction

Report the attack

The steps in this article will give you the best chance to recover data and stop the internal spread of infection according to Microsoft. Before you get started, consider the following items:

  • There’s no guarantee that paying the ransom will give you access to your files. In fact, paying the ransom can make you a target for future ransomware attacks.

If you already paid, but you recovered without using the attacker’s solution, contact your bank to see if the transaction can be blocked.

  • It’s important that you respond quickly to the attack and its consequences. The longer you wait, the less likely it is that you will be able to recover the affected data.

We also recommend you report the ransomware attack to scam reporting websites and your local or federal law enforcement agencies. If you are in the U.S., you can contact the FBI local field officeIC3 or Secret Service.

Contact MessageOps for Help with Microsoft 365 Security

MessageOps has a team of Microsoft 365 security experts who can assist you. Click on the following link to get started:, call us at 877-788-1617, or email us at [email protected] for assistance with any of the following services:

  • Cloud Migration
  • Microsoft Cloud Collaboration (Teams, SharePoint) Consulting, Training, Design, Deployment and Management
  • Microsoft Cloud Governance
  • On premise and Azure Active Directory
  • Ransomware Vulnerability and Recoverability Assessment
    • Provides the vital information organizations needs to help prevent and/or recover from a ransomware attack
  • Enterprise Mobility + Security / Intune
  • Microsoft Endpoint Manager / SCCM
  • Defender
  • Advanced Threat Protection
  • Windows Hello
  • Autopilot
  • Microsoft Security Assessment


Was this article helpful?