The Datamax Thinking Blog

Educating, collaborating, and sparking ideas for maximizing the technology that matters.

Three Tactics to Thwart Office 365 Ransomware Threats


So, consider this bit of recent history ... 29% of IT professionals report their clients have encountered ransomware that specifically targeted Office 365.

I must say, I love history. For humanity's sake, I deeply hope it’s never rewritten.  I’m not entirely sure whether my interest lies in the fun and fascination of discovery, or the fear of repeating failures it documents.  One thing’s for sure, as summed up by Edmund Burke, Those who don't know history are doomed to repeat it.”  

No doubt, a truth proven over and over again.

So here’s a bit of history (2,000 years in the making) every business should consider as it prepares to compete and/or to defend its resources — the focus of this blog. Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.”Sun Tzu (Chinese military general and philosopher most known for writing the Art of War)

The need for effective IT security strategies ... and tactics.

So, consider this bit of recent history ... 29% of IT professionals report their clients have encountered ransomware that specifically targeted Office 365. Additionally, a stunning 100% of IT professionals indicated they had seen Windows systems infected by ransomware, as outlined in Datto’s State of the Channel Ransomware Report.  The need for effective overriding IT security strategies (and tactics) is obvious if business professionals are to avoid repeating  recent ransomware-specific history.

The following are three solid tactics from Datto you can use to thwart future Office 365 ransomware threats.

Tactic 1: Enable DNS Blocking

Switch to a DNS (domain name system) service that actively monitors and blocks known malware sites to reduce the risk of ransomware. Unless you’ve custom configured some settings, it’s very likely that a site’s DNS provider is the internet service provider. When anyone on the network types, say, “” in a browser, that request goes to the DNS provider.

A third-party DNS service provider may block specific sites. Some businesses use DNS to filter a variety of websites, spanning from social media to online retailers. More complex configurations can block certain sites from specific user groups, but allow access from other groups’ systems. Several vendors, such as Dyn, OpenDNS, and Untangle, offer these services.

DNS service providers can also block access to malicious sites. This blocking can work two ways: by blocking a request when a person inside an organization attempts to access a harmful site, or—if malware is already inside an organization—by blocking attempts by malware inside the organization to “phone home” outside the organization. When a device on the network requests a site identified as a ransomware source, the DNS provider prevents access. Instead of a fresh serving of malware, you see a notification that the requested site is blocked, often with a suggestion to contact a network administrator if you believe the site to be blocked in error.

Tactic 2: Configure SmartScreen Policies

Microsoft’s SmartScreen filters work to block harmful sites and downloads at the browser level, much like a DNS provider can at the network level. The system calculates a risk score, based on a variety of factors, then warns the user of potential harm. SmartScreen works within both Microsoft Edge and Internet Explorer 11 browsers.

An administrator can configure SmartScreen to act either as an adviser or a blocker. When set as an adviser, a person will see a warning when either visiting a potentially harmful site or downloading a potentially harmful file. But the warning can be ignored. To ensure that SmartScreen filters are active, configure three group policies:

  • Configure the SmartScreen filter setting to turn SmartScreen on,
  • Prevent bypassing SmartScreen prompts for files, and
  • Prevent bypassing SmartScreen prompts for sites.

(On your own system, see SmartScreen settings for Internet Explorer in Tools > Safety settings, or for Edge in Settings > View Advanced Settings.) With these settings, SmartScreen will block visits to sites identified as harmful and also prevent downloads of unverified files.

There are a varity of other content-filtering solutions from SonicWall, uBlock, Google, and Barracuda that also may be worth taking a look at for your organization. 

Tactic 3: Configure Email Screening

Email attachments often deliver a ransomware payload. “Here’s the file you need,” reads the text of the email—with an attachment. Too often, the recipient opens the file only to realize later that it wasn’t a needed file, but instead a malicious app.

Microsoft gives Office 365 administrators the ability to block any of nearly 100 different file types.

The most secure setting would be to simply delete all attachments. Anyone needing to share files with people could upload a file to OneDrive, then share access. The recipient would receive a notification via email—but not the actual file! —and could then log into OneDrive to view files “Shared with me.”

You should block files likely to be harmful. According to a Microsoft Security Intelligence Report from June 2016, the file types most often blocked by Office 365 Advanced Threat Protection were Word (.doc, .docm), JavaScript (.js), and executable files (.exe, .scr, .com, .pif, .cpl).

To block these settings, login to your Office 365 Admin account, select the Security & Compliance tile, choose Threat Management, then Anti-malware. There, you may either edit the default configuration, or add additional screening criteria. A core set of executable files is blocked, including the following types: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, and .vbs. In addition to these defaults, you might also block the following types: .js (JavaScript file extension), .rar (a compressed file type), as well as .cpl and .pif, to protect against the most common concerns.

You may also block attachments for a specific sender or recipient users, groups, or domains. In a work setting, you might choose to prohibit attachments among management, but allow attachments among the C-level. When you create your anti-malware rule, choose the sender or recipient settings (found near the bottom of the rules configuration screen).

ebook_defending_office_365_small.pngOK, just one more tactic.

If you're looking for further details regarding strategies for protecting your networks and devices and how to recover your data if a ransomware event does occur, please download our FREE eBook Defending Office 365 Data from Ransomware.

For more pressing needs or concerns, please schedule a comprehensive Network Risk Assessment with a Datamax Technology Consultant today.

Now that's being tactical.

 Schedule A Datamax Network Risk Assessment Today! ›

Source: Datto

Topics: Managed Network Services Network Management Document Security IT Consulting Technology Pain Business Continuity Disaster Recovery Network Security