Many people believe that their files, stored in the cloud, are safe for viruses. Even when your files are stored in the cloud, in this case Office 365, they can still be vulnerable for viruses. It’s always important to protect your computer for any possible malware or virus attack.

One of our customers is currently migrating from their file storage to Office 365 sites. A short time ago, their network shares got encrypted by a crypto locker Trojan. They asked us, if this could still happen with their files, stored in Office 365.

Since I work with SharePoint and Office 365, I’ve never heard of any virus case and so I believed, that there shouldn’t be anything to worry about. A short test with WebDAV and with OneDrive for business proved me wrong.

Files in Office 365 should be pretty safe, as they are normally not accessed via the file system and are therefore out of reach for normal viruses or malware. However, it’s possible for users to connect to their SharePoint libraries via WebDAV or using a sync mechanism like OneDrive for Business. These techniques can be very useful, but also bring the files back in reach for a possible attack.

Normally you should still be pretty safe, as SharePoint automatically detects file changes and will generate a new version (if enabled) for the file. Version history should allow you to revert the file back to its original state. If a file got deleted by an attack, you can always retrieve it back from the trash bin in Office 365.

With the test, I noticed one major issue; filenames are not being protected by versioning. If a filename change occurs, the modified date is altered without an increase of the version number. The version does only increase if the name changes and the content is altered at the same time, but reverting back to an older version, does not restore the original filename.

Theoretically, this can be a big deal, because if an attack only changes filenames to unreadable names, the SharePoint library is also updated with these new filenames. The user is left with an library full of unidentifiable filenames and there is no way, for the user, to revert back to the original names.

Library and version info before the filename updates:
o365_document_library_before_malware_attack

Library and version info after the filename changes via WebDAV:
o365_document_library_after_malware_attack

What to do if your files in Office 365 have been malformed?
1) If files have been deleted, navigate to the Recycle Bin to restore them back.
2) If files have been altered, revert back to an earlier version with version history (if enabled)
3) If files have been renamed, you’re best option is to contact Microsoft Support and ask them to do a (site collection) restore for you. According to TechNet,
“Data protection services are provided to prevent the loss of SharePoint Online data. Backups are performed every 12 hours and retained for 14 days. This describes the data backup services as offered when SharePoint Online is generally available. ”

This case shows that it’s always good practice, to protect your computer with a decent virus and malware protection. Even when your files are stored in the cloud, they might not be safe for an attack.

Administrators or people in charge of the governance plan, should think about allowing the use of WebDAV and OneDrive for Business Sync in their network. If this functionality is allowed, it introduces possible risks for the files exposed by these connections. It might be an option to invest in a 3rd party solution for cloud backups, if you really want to be 100% sure to protect your data.