Safeguard Your Data and Network from Ransomware with Microsoft 365

Defending against ransomware is crucial in today’s digital landscape. Ransomware, a constant and serious threat in the digital landscape, encrypts files on a victim’s computer or network until a ransom is paid. It is essential to recognize the severity of this cybercrime rather than dismissing it as a minor inconvenience. Furthermore, there is no guarantee that the threat is gone even after a ransom is paid. 

Discover how Microsoft 365 provides robust solutions to mitigate the risk of ransomware attacks. From user education to implementing security policies and leveraging powerful tools like Defender for Office 365, OneDrive, Attack Surface Reduction, Controlled Folder Access, and Microsoft Defender for Endpoint, organizations can enhance their security posture and protect their data. By leveraging these powerful solutions, organizations can enhance their security posture, detect, and prevent threats, and enable secure collaboration and data protection.

User Education

Before we get into the technical solutions, let us not forget that user education is a critical component in defending against ransomware. By educating users about phishing attempts, safe online practices, and the impact of ransomware, organizations can reduce the risk of falling victim to attacks. It fosters a security-conscious culture, empowering individuals to detect and report suspicious activities. This early detection enables prompt response and mitigation measures. User education enhances the organization’s overall defense against ransomware, complementing technical security measures and creating a proactive line of defense.

Stay on Top of Updates!

We cannot say it enough, keeping your Operating System (OS) and software updated is a critical defense mechanism against ransomware. Regular updates provide patches, security enhancements, updated malware signatures, exploit prevention, and compatibility/stability improvements that collectively bolster your system’s resilience and reduce the likelihood of falling victim to ransomware attacks.

Microsoft Intune offers several features that can help you keep your computers up to date. Here are some ways to leverage Intune for this purpose:

  1. Implement Software Update Policies for macOS, iOS, and Android to automatically download and install OS and application updates.
  2. Define Intune Update Rings Policy and Feature Update Policy to control the rollout of updates and test compatibility before deploying them to all devices.
  3. Set Compliance Policies to check for the latest updates and trigger actions for non-compliant devices.
  4. Use Intune’s Reporting and Monitoring capabilities to track the updated status of devices and take necessary actions.
  5. Leverage the integration with Windows Update for Business for additional update management features.

By leveraging these Intune features, you can ensure that your computers are up to date with the latest security patches, bug fixes, and feature updates, keeping your environment secure and efficient.

Figure 1: Three basic Windows Update Rings with staggered Quality Update deferrals.

Figure 2: Windows Feature Update Rings for staggered deployments.

Defender for Office 365

Defender for Office 365 is a comprehensive email security solution by Microsoft that safeguards organizations against a variety of email threats. It employs multiple layers of protection, including real-time threat intelligence and advanced Machine Learning (ML) capabilities to analyze and detect sophisticated threats, such as malware and ransomware, enhancing its ability to proactively identify and mitigate evolving security risks.

We recommend starting with the Standard Security Preset policy provided by Defender for Office 365, which serves as a solid baseline for protection. This way, you will always have Microsoft’s recommended, best practice, configuration for your environment.

Then, We highly recommend enabling Safe Attachments and Safe Links. By activating Safe Attachments, you create an additional layer of defense against malicious email attachments. It scans and analyzes attachments in a secure environment before they reach users, reducing the risk of unintentional exposure to harmful files. Similarly, enabling Safe Links safeguards against phishing attacks and malicious websites by checking and redirecting URLs in emails, Microsoft Teams, and Office apps.

Be sure to occasionally review and tune the anti-phishing policies in Defender for Office 365 like Impersonation Protection, Mailbox Intelligence, and Spoof Intelligence to take advantage of the advanced Machine Learning (ML) capabilities.

Finally, stay informed about the latest threat intelligence and updates from Microsoft to ensure your defenses are up-to-date and effective against emerging threats by using Threat Trackers and Explorer.

As always, educate your users about email security best practices, including being cautious with email attachments and links, and encourage them to report suspicious emails promptly.

Guard Your Data with OneDrive

Microsoft OneDrive offers a feature called Known Folder Move (KFM) that allows you to seamlessly back up and sync your important folders, such as Documents, Desktop, and Pictures, to your OneDrive cloud storage. KFM plays a crucial role in defending against ransomware attacks. In case of a ransomware attack, where your local files become encrypted and inaccessible, your synced files in OneDrive remain unaffected and can be easily restored to an earlier version.

It is easy to implement Known Folder Move (KFM) in Intune with a device configuration policy that includes the KFM settings, specifying the folders to synchronize with OneDrive. Assign the policy to the desired user or device groups within Intune. Ensure that the devices are enrolled and managed by Intune. Once the policy is applied, OneDrive will automatically synchronize the specified folders, providing backup and protection in the cloud. To verify successful implementation, monitor the deployment using Intune’s reporting and monitoring capabilities.

Figure 3: Sample OneDrive Known Folder Move Policy in Intune.

Attack Surface Reduction Policies

Attack Surface Reduction (ASR) policies provide a comprehensive framework for strengthening the security of Windows clients. These policies offer granular control over various system components and help minimize the avenues through which attackers can exploit vulnerabilities.

ASR policies work by employing a range of techniques to thwart potential threats. For example, they can block the execution of malicious files from certain locations, such as the AppData and Temp folders, which are common entry points for malware. They can also restrict the use of scripting engines to prevent the execution of malicious scripts or block the loading of unsigned and potentially harmful DLL files.

Another important aspect of ASR policies is the protection against social engineering attacks. They can prevent the execution of Office macros, a common vehicle for delivering malware, and disable the execution of PowerShell scripts from email and web attachments.

Furthermore, ASR policies leverage Machine Learning (ML) and Behavioral Analysis to identify and block suspicious activities that may show an attack in progress. This proactive approach helps in mitigating emerging and zero-day threats by detecting and preventing potentially harmful behavior.

By implementing Microsoft’s ASR policies, organizations can significantly reduce their attack surface and enhance their overall security posture. These policies complement other security measures and provide an additional layer of defense against a wide range of threats, including ransomware, malware, and exploits. Regular monitoring and fine-tuning of ASR policies ensure optimal protection while staying ahead of evolving cyber threats.

There are three standard ASR rules, which is the minimum set of rules that Microsoft recommends you always enable. These rules may be implemented with little to no impact on end users.

  1. Block executable content from email and webmail client locations: This rule prevents the execution of potentially malicious files that are commonly delivered through email attachments or webmail clients. It helps mitigate the risk of downloading and executing malware from these sources.
  2. Use advanced protection against ransomware: This rule enhances protection against ransomware by preventing suspicious activities commonly associated with file encryption. It blocks suspicious processes from accessing and encrypting files in protected folders, reducing the impact of ransomware attacks.
  3. Use advanced protection against Office macro-based threats: This rule is specifically focused on mitigating the risks associated with malicious Office macros. It blocks the execution of macros in Office applications, preventing the execution of potentially harmful scripts embedded in documents.

In addition to the minimum standard, Microsoft offers other, more advanced, ASR rules that provide advanced security measures to combat specific attack vectors. They include protection against suspicious behaviors, credential theft, network threats, code execution from Office attachments, and unauthorized process creation. Implementing these rules strengthens defenses, detects, and blocks sophisticated threats, safeguards critical credentials, prevents malicious network communication, blocks harmful code execution, prevents unauthorized file/folder access (more on this later), and restricts unauthorized process creation.

You can implement the Standard ASR policy (or add it to your existing ASR policy) in the Endpoint security > Attack Surface Reduction section of Intune.

Please note, implementing the Advanced ASR rules can have a significant impact/disruption to the end-user base and we recommend thorough planning and evaluation. Microsoft provides excellent guidance on this topic.

Figure 4: Standard ASR rules as configured in Intune.

Controlled Folder Access

Controlled Folder Access (CFA) is a powerful security feature introduced in Windows 10 that adds an extra layer of protection against ransomware and other malicious software. It works by restricting unauthorized applications from modifying or accessing specific folders designated as “protected.”

When CFA is enabled, it actively monitors the protected folders, keeping a close watch on any attempts by unknown or unauthorized applications to make changes to files within those folders. If an unauthorized application tries to access or modify files, it is blocked, and you are alerted about suspicious activity.

This feature utilizes a combination of techniques, including Machine Learning (ML) and Behavioral Analysis, to detect and prevent ransomware attacks. It is designed to provide a robust defense against file encryption attempts by malicious software, safeguarding your important documents, photos, and other valuable files.

By default, CFA protects several critical system folders, such as Documents, Pictures, Desktop, and Favorites. However, you can customize and add additional folders to the list of protected folders according to your specific needs.

Enabling CFA has a positive impact on your system’s security by safeguarding your important files against unauthorized modifications by ransomware. While it may cause minor disruptions, such as blocking legitimate applications, the benefits of added protection outweigh these temporary inconveniences. Regular review and adjustments ensure smooth operations while maintaining robust defense against ransomware.

To implement CFA via Intune, you can create an ASR policy (or add it to your existing ASR policy) in the Endpoint security > Attack Surface Reduction section of Intune. We recommend creating the policy in Audit mode at first to avoid disruptions.

Figure 5: Controlled Folder Access configured in Audit mode via Intune.

Microsoft Defender for Endpoint

Last, but not least, we can’t talk ransomware defense without talking about Microsoft Defender for Endpoint (MDE). MDE is an advanced endpoint security solution that provides comprehensive protection against various threats and helps organizations detect, investigate, and respond to security incidents. It combines threat prevention, detection, investigation, and response capabilities into a single unified platform.

MDE offers real-time protection against a wide range of threats, including malware, viruses, ransomware, and other malicious activities. It utilizes behavior-based, machine learning-powered algorithms to identify and block suspicious activities and files, ensuring proactive defense against emerging threats.

The solution also includes powerful Endpoint Detection and Response (EDR) capabilities, enabling security teams to quickly investigate and respond to security incidents. It provides detailed insights into the attack chain, allowing analysts to understand an incident’s root cause and scope. With built-in threat intelligence and powerful analytics, Microsoft Defender for Endpoint helps organizations identify and remediate threats across their entire network.

MDE integrates seamlessly with other Microsoft security products and services, such as Microsoft 365 Defender, Azure Defender, and Microsoft Cloud App Security. This integration enables a comprehensive approach to security, providing unified visibility and enhanced protection across endpoints, email, identities, cloud resources, and applications.

Deploying MDE can vary depending on your environment and needs. Microsoft recommends following their deployment guidelines or engaging a certified Microsoft Solutions Partner for guidance on selecting the appropriate deployment option. Once the deployment is completed, organizations should configure and customize the solution according to their specific requirements.

Figure 6: Microsoft Defender for Endpoint capabilities.

How can we help?

Protecting against ransomware and other cyber threats is a priority for everyone. Microsoft 365 offers a range of powerful tools, like those mentioned above, and more, that can strengthen your defenses and reduce the risk of an attack. PSM has a successful record of deploying Microsoft 365 solutions in small, mid-size, and enterprise organizations. As a trusted Microsoft Solutions Partner with designations in Modern Work, Security and Azure, PSM is committed to helping your organization plan and execute your ransomware defense strategy.

Related Insights

About the Author

Ilya Gofman
Ilya Gofman

Passionate and accomplished Information Technology expert with a track record of 17+ years in designing, implementing, and maintaining innovative networks and technologies across various industries. Offers invaluable advice to clients, creates innovative solution architectures, and ensures that technology strategies align seamlessly with business objectives. Recognized as a Microsoft 365 Certified Enterprise Administrator Expert.


(Managed Services, Cloud Services, Consulting, Cybersecurity, Talent)

What is 7+4?

has context menu Compose