Is Exchange Online Threatened by Ransomware?



Some people worry that Exchange Online mailboxes could be compromised by ransomeware and people will be forced to pay BitCoin to decrypt their messages. It's certainly a possibility, but out-of-the-box solutions exist if you're unlucky enough to be infected. That is, if you've done the necessary up-front planning to prepare for the worst to happen.

7 Replies

@Tony Redmond Well it's not an easy thing to do still Microsoft would have already started taking actions on the security of Exchange.

@Smith_J  I think it's fair to say that some discussions are happening that should lead to better protection all round.

@Tony Redmond


All email messages for Exchange Online travel through Exchange Online Protection (EOP), which quarantines and scans in real time all email and email attachments both entering and leaving the system for viruses and other malware. Administrators do not need to set up or maintain the filtering technologies; they are enabled by default. However, administrators can make company-specific filtering customizations using the Exchange admin center.


Using multiple anti-malware engines, EOP offers multilayered protection that's designed to catch all known malware. Messages transported through the service are scanned for malware (including viruses and spyware). If malware is detected, the message is deleted. Notifications may also be sent to senders or administrators when an infected message is deleted and not delivered. You can also choose to replace infected attachments with either default or custom messages that notify the recipients of the malware detection.


The following helps provide anti-malware protection:


  • Layered Defenses Against Malware - Multiple anti-malware scan engines used in EOP help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
  • Real-time Threat Response - During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat even before a definition is available from any of the engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
  • Fast Anti-Malware Definition Deployment - The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they are publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.

Advanced Threat Protection

Advanced Threat Protection (ATP) is an email filtering service that provides additional protection against specific types of advanced threats, including malware and viruses. Exchange Online Protection currently uses a robust and layered anti-virus protection powered by multiple engines against known malware and viruses. ATP extends this protection through a feature called Safe Attachments, which protects against unknown malware and viruses, and provides better zero-day protection to safeguard your messaging system. All messages and attachments that don't have a known virus/malware signature are routed to a special hypervisor environment, where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.


Exchange Online protection also scans each message in transit in Office 365 and provides time of delivery protection, blocking any malicious hyperlinks in a message. Attackers sometimes try to hide malicious URLs with seemingly safe links that are redirected to unsafe sites by a forwarding service after the message has been received. Safe Links proactively protects your users if they click such a link. That protection remains every time they click the link, and malicious links are dynamically blocked while good links are accessible.


ATP also offers rich reporting and tracking capabilities, so you can gain critical insights into who is getting targeted in your organization and the category of attacks you are facing. Reporting and message tracing allows you to investigate messages that have been blocked due to an unknown virus or malware, while the URL trace capability allows you to track individual malicious links in the messages that have been clicked. Learn more about Exchange online plans 




@Akshay_Mane  Well, thank you for the marketing write-up on behalf of Exchange Online Protection (how much did you cut and paste direct from Microsoft's documentation?). I admire your confidence that EOP and ATP will catch every single piece of malware that arrives for checking. The reality is that some percentage of malware gets through and some users open infected messages. Hence the need for caution. 


But please continue to be confident. It's nice to see such faith expressed in EOP and ATP.

For more information about the percentage of infected messages that get past defenses, read the discussion in


Before writing this piece, I spoke to the EOP engineers about the challenges they face in suppressing malware. It's a huge technical and logistical challenge, which explains why some malware will always get through.

@Tony Redmond  


Exchange servers are in MS data centers and hence i don`t think there is any ransomware threats... however, if anyone sends email to you/your account, with malicious code, it will impact you local computer from where you are accessing the emails from... in this case you can use/trust EOP.
If MFA is enabled it will be almost impossible for hacker to penetrate, as far as accessing the account.

@Akshay_Mane Given that I have been writing about Office 365 since 2011, and Exchange since 1996, I think I know where the Exchange Online servers are located.


Remember that ransomware can be delivered by email. As we have already established, some malware gets through anti-malware defenses and will arrive in user mailboxes. Depending on the attack vector, all it might take is for a user to open a message and click a suspect link to cause their complete mailbox to be infected by ransomware (the proof of concept offered in the Mitnick demo). MFA doesn't come into the equation if a user is lured into granting an app permissions over their mailbox.


The possibility of a successful ransomware attack on Exchange Online exists. I personally feel that attackers will choose easier targets, but that doesn't mean that we should be complacent and rely on anti-malware tools to protect mailboxes from infection.