A recent study by Acronis Threat Research Unit reveals critical security gaps in Microsoft 365 backup data, exposing organizations to persistent threats from dormant malware and malicious URLs.
TL;DR Key Findings:
- 2M+ malicious URLs and 5K+ malware samples detected in M365 backups
- Shared responsibility model: Microsoft secures infrastructure, but data protection falls on organizations
- Threat persistence: Malware can remain dormant in backups, reinfecting systems during restoration
- Recommendations: Implement advanced backup security, email filtering, and regular audits
The Scope of the Threat
Acronis analyzed over 300,000 Microsoft 365 seats from a pool of 1.2 million, focusing on environments using only native security controls. The findings reveal:
- Malicious URLs: Phishing links and compromised domains embedded in emails/files
- Malware: Ransomware, info-stealers, and trojans stored in backup snapshots
- Persistence risk: Backup restorations can reintroduce threats if scans are not performed pre-recovery
“Backup data is meant to be a safety net, but infected backups become Trojan horses.”
Why Native Security Falls Short
Microsoft 365 operates on a shared responsibility model:
| Responsibility | Microsoft’s Role | Organization’s Role |
|---|---|---|
| Infrastructure | Secures servers, networks | N/A |
| Data | Provides basic tools | Must implement advanced protection |
Built-in defenses like Exchange Online Protection (EOP) and Microsoft Defender focus on real-time threats, not dormant malware in backups.
Technical Implications for Security Teams
For Red Teams & Threat Researchers
- Attack vector: Backups can be weaponized for supply-chain attacks. A compromised backup allows lateral movement post-restoration.
- Persistence: Malware like Emotet or QakBot could survive in backups for months.
For Blue Teams & SOC Analysts
- Detection gaps: Traditional SIEMs may not scan backup storage. Consider:
# Pseudocode for backup malware scan (using Python's clamd)
import clamd
cd = clamd.ClamdUnixSocket()
scan_result = cd.scan_file("/backup/path/file.zip")- Remediation: Immutable backups (e.g., append-only storage) prevent tampering.
Recommended Mitigations
- Adopt third-party backup solutions with malware scanning (e.g., Acronis, Veeam).
- Enable immutable backups to block ransomware encryption.
- Audit backups quarterly for IOCs using tools like YARA or ClamAV.
- Train staff to recognize phishing—96% of ransomware attacks start via email.
Conclusion
The Acronis study highlights a critical blind spot: backups intended for disaster recovery can become long-term threat reservoirs. Organizations must augment Microsoft 365’s native tools with layered security to mitigate risks.
References
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks. BleepingComputer. March 24, 2025.
- Microsoft 365 Backup Risks: Uncovering Hidden Vulnerabilities. WindowsForum. March 24, 2025.
- The Hidden Threats in Microsoft 365: 5 Proven Tactics to Combat Ransomware. LinkedIn. December 10, 2024.
- The Hidden Threat Within: Viruses in Backup Files. CiCloud. February 20, 2024.
- Microsoft 365 Security Best Practices for 2024. Reco. May 20, 2024.
- Overview of Microsoft 365 Backup. Microsoft Learn. February 19, 2025.
