Microsoft 365 Doesn’t Back Up Your Data — Ransomware Proves It
- 15 April, 2026
- 11:55 am
A finance department opens an attachment on a Monday morning. By midday, files across SharePoint, Teams, and Exchange are encrypted or deleted. The IT team calls Microsoft support expecting a full restore. What they get instead is a painful lesson in what Microsoft 365 actually guarantees.
Microsoft 365 is a highly available cloud platform — but availability is not the same as backup. Microsoft protects its infrastructure from failure. It does not protect your data from what your users (or attackers) do with it. This distinction matters enormously when ransomware or a compromised tenant account has altered or destroyed your data.
The confusion is widespread. IT administrators on forums like r/sysadmin regularly post questions like “do I even need a third-party backup for Microsoft 365?” The answer, in a ransomware scenario, is almost always: yes, and you probably needed it before the incident.
Key Takeaways
• Microsoft 365’s built-in tools are availability features, not backups — retention policies, version history, and the recycle bin have hard limits that attackers can exploit or outlast.
• Ransomware targeting Microsoft 365 is a growing and documented threat — according to the Hornetsecurity Ransomware Impact Report 2025, 24% of organisations reported being a ransomware victim in 2025, up from 18.6% in 2024.
• Third-party backup solutions provide the only reliable path to full, point-in-time recovery — particularly for tenants that need to meet NIS2 or ISO 27001 recovery requirements.
What Does Microsoft Actually Protect in a 365 Tenant?
Microsoft operates under a Shared Responsibility Model. In SaaS environments like Microsoft 365, Microsoft is responsible for service uptime, data centre resilience, and infrastructure security. Your organisation remains responsible for the data itself — including protecting it from deletion, encryption, or corruption caused by users, administrators, or attackers.
As Microsoft’s own Shared Responsibility documentation makes clear: in SaaS environments, you always retain responsibility for your data and identities. Microsoft’s role is to keep the infrastructure running — not to protect what users or attackers do to your data.
What Microsoft provides natively:
• Recycle Bin: Deleted items are retained for 93 days (SharePoint, OneDrive). After that, data is permanently gone.
• Version history: Up to 500 versions per file in SharePoint. Ransomware that overwrites files with encrypted versions will consume these slots quickly.
• Litigation Hold / Retention Policies: These preserve items for compliance purposes, not for operational recovery. Restoring a specific file version from a hold is complex and often requires third-party tooling.
• Microsoft 365 Backup (preview): A newer Microsoft feature offering point-in-time recovery for OneDrive, SharePoint, and Exchange — but limited in scope, subject to licensing, and not yet suitable as a standalone backup strategy for most organisations.
The practical consequence: if ransomware strikes and encryption or deletion runs for more than a few hours, native tools may already be unable to provide a clean restore point.
How Ransomware Specifically Targets Microsoft 365
Modern ransomware groups do not simply encrypt local drives. Many campaigns now specifically target cloud environments. According to the Microsoft Digital Defense Report 2025, over 52% of cyberattacks with known motives were driven by extortion or ransomware — and Microsoft observed a 275% year-over-year increase in human-operated ransomware attacks against its customers between July 2023 and June 2024. These are not abstract statistics. They describe the environment that Microsoft 365 tenants operate in every day.
Common attack vectors include:
• Compromised accounts via phishing: An attacker gains access to a privileged account and begins deleting files, corrupting version history, or exfiltrating data before triggering encryption. According to the same Microsoft report, 28% of breaches were initiated through phishing or social engineering..
• OAuth application abuse: Malicious third-party apps granted access to a tenant can silently exfiltrate or manipulate data over extended periods.
• Global admin takeover: If a global admin account is compromised, attackers can disable audit logging, remove retention policies, and empty recycle bins before anyone notices.
A key point often missed: in a ransomware attack against Microsoft 365, recovery time is directly tied to whether an independent, immutable backup exists. Without one, “recovery” often means starting from whatever fragments Microsoft’s native tools can surface.
What Recovery Options Actually Exist After a Microsoft 365 Incident?
Option 1: Native Microsoft Tools
Microsoft provides several recovery paths built into the platform:
a. Navigate to the SharePoint admin centre and access the recycle bin for deleted site content.
b. Use the “Restore your OneDrive” feature to roll back to a point up to 30 days ago (for OneDrive for Business).
c. Use version history per file to restore individual documents.
d. For Exchange, use the Recoverable Items folder to access purged emails within retention windows.
Limitation: These tools work for accidental deletion within short timeframes. They are not designed for tenant-wide ransomware recovery and have no coverage for configuration settings, permissions, or Teams metadata.
Option 2: Microsoft 365 Backup (Microsoft’s Own Solution)
Microsoft launched Microsoft 365 Backup as a premium add-on. It supports:
• SharePoint site restores
• OneDrive account restores
• Exchange mailbox restores
Recovery windows are defined at configuration time and can extend to 180 days. However, this solution does not cover all Microsoft 365 workloads, requires additional licensing, and is not yet available in all regions or for all plan types.
Option 3: Third-Party Backup Solutions
Third-party solutions — such as those integrated into a Microsoft Cloud Backup strategy — provide the broadest recovery capabilities. Key advantages:
• Tenant-wide backup across Exchange, SharePoint, OneDrive, Teams, and sometimes Azure AD / Entra ID
• Immutable storage, preventing attackers from deleting backup data even with tenant admin access
• Granular restore options (individual emails, files, or entire sites)
• Air-gapped or offsite copies that ransomware cannot reach
For organisations subject to NIS2 or ISO 27001 requirements, Disaster Recovery planning must include Microsoft 365 data explicitly. A third-party solution is typically the only way to demonstrate documented, testable, and reproducible recovery from a ransomware event.
How Should You Test a Microsoft 365 Recovery Plan?
Having a backup is not the same as having a tested recovery plan. The Hornetsecurity Ransomware Impact Report 2025 found that while 82% of surveyed organisations now have a Disaster Recovery Plan, only 62% use immutable backups — and less than a third of companies believe they can recover quickly from even a small attack. The gap between having a plan and having a working plan is significant.
A practical test approach for Microsoft 365 ransomware recovery:
• Define your RTO and RPO: How long can your organisation function without email? Without SharePoint? Set realistic targets.
• Create a test tenant or sandbox environment: Restore to an isolated location to avoid overwriting live data.
• Run a simulated incident: Delete a folder, corrupt a set of files, and attempt recovery using only the tools available to you.
• Document the gaps: What couldn’t you recover? What took longer than expected? Update your incident response plan accordingly.
• Repeat quarterly: Environments change. New Teams channels, new SharePoint sites, new workflows — all need backup coverage.
Organisations using Ransomware Protection services should ensure that Microsoft 365 is explicitly included in scope — not treated as inherently safe because it runs in Microsoft’s cloud.
What Changes Under NIS2 for Microsoft 365 Backup Obligations?
The NIS2 Directive, enforceable in EU member states from October 2024, requires operators of essential and important services to implement appropriate technical and organisational measures for business continuity. This includes:
• Backup management and disaster recovery
• Supply chain security (including cloud providers)
• Incident response and reporting obligations
Microsoft is a cloud provider — not a recovery service for your data. Under NIS2, your organisation remains accountable for maintaining recoverable copies of data processed in Microsoft 365. Auditors and competent authorities will expect documentation of backup policies, recovery testing, and RTO/RPO commitments.
For organisations building a Data Security strategy that includes Microsoft 365, the question is no longer “do we need backup?” but “can we demonstrate tested recovery?”
Conclusion
Microsoft 365 is designed for productivity and availability — not for recovery after a ransomware event. Native tools like version history and the recycle bin offer limited protection that determined attackers can bypass or outlast. With ransomware affecting 24% of organisations in 2025 and attack volumes continuing to rise, the assumption that Microsoft handles backup is a recovery risk organisations can no longer afford to carry. A dedicated backup strategy, third-party tooling, and regular restore testing are the only reliable way to recover a compromised Microsoft 365 tenant and meet growing regulatory obligations under NIS2.
Frequently asked questions
Can Microsoft restore my Microsoft 365 data after a ransomware attack? +
No, not in the way most organisations expect. Microsoft’s support team can assist with some native tool operations, but they do not maintain organisation-specific backups. If native recovery features — such as the recycle bin, version history, or Litigation Hold — cannot surface clean data, Microsoft cannot provide a full restore. For comprehensive tenant recovery after ransomware, organisations need their own backup solution.
Does Microsoft 365 version history protect against ransomware? +
Not reliably. Version history preserves previous file versions, but ransomware that overwrites files repeatedly can exhaust version slots quickly. Once encryption runs through 500 versions of a document, earlier clean versions are gone. Additionally, version history does not cover metadata, permissions, Teams configurations, or shared mailboxes in a way that supports tenant-wide recovery.
Is Microsoft 365 Backup sufficient as a standalone backup solution? +
For many organisations, no. Microsoft 365 Backup is a useful addition to the native toolkit, but it has workload coverage limitations, requires additional licensing, and may not be available in all regions or plan types. It also does not provide immutable, offsite storage — which is important when attackers have compromised global admin accounts. Most organisations with documented recovery requirements will need a third-party solution in addition to or instead of Microsoft 365 Backup.