BACK TO KB LIST

Malware and Ransomware Detection in M365

KB ID:	4838
Product:	Veeam Data Cloud for Microsoft 365
Published:	2026-03-31
Last Modified:	2026-03-31

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please, try again later.

Availability Requirement

Threat Detection is available to Veeam Data Cloud for Microsoft 365 customers with Premium or Advanced plans. Customers must opt in to AI settings to enable this feature. Contact your Veeam account team or see your plan details to confirm availability.

Supported Workloads

This feature currently supports Microsoft 365 workloads only.

Purpose

This article describes how to locate, review, and interpret Malware and Ransomware threat detections surfaced by Veeam Data Cloud (VDC) Advanced Threat Detection for Microsoft 365 workloads.

When Veeam Data Cloud backs up Microsoft 365 data, it automatically analyzes each backup for security threats. It then flags infected files (malware) and suspicious encryption patterns (ransomware). Detected threats are surfaced in the Threats section of the Microsoft 365 workload view in the VDC portal.

How Threat Detection Works

VDC Advanced Threat Detection runs automatically after each backup job completes. It does not scan file content directly, and detection is based entirely on file metadata, behavioral signals, and machine learning analysis of backup statistics.

Threat Type	Detection Method	Data Source	What Is Detected
Malware	Deterministic ^(rule-based)	Microsoft's built-in malware detection	Known malware signatures in OneDrive, Teams, and SharePoint files flagged during a backup session.
Ransomware	Machine Learning ^{(Random Cut Forest)}	Backup file statistics (entropy, extension changes, modification patterns)	Anomalous encryption patterns, unusual file extension changes, and entropy spikes deviating from the established baseline per workload.

Swipe to show more of the table

Privacy-Preserving Architecture

VDC Threat Detection analyzes metadata only. File content is never accessed, transmitted, or stored outside your backup environment. All data remains within your deployment region.

Solution

Navigate to the Threats View

In the Veeam Data Cloud (VDC) portal, select Microsoft 365 from the left navigation panel, and in the Management section, click Threats.

The threats page contains two tabs:

Malware Threats — A list of users whose OneDrive, Teams, or SharePoint files were flagged as containing malware during a backup session.
Ransomware Threats — A list of resources where anomalous encryption activity was detected.

Microsoft 365 Threat Detection dashboard with tabs for Malware Threats and Ransomware Threats, showing a list of malware threats for several entities in OneDrive.

Ransomware Threats tab in the Microsoft 365 Threat Detection dashboard displaying a list of ransomware threats, with one entry for the M8 Project site and its status as resolved.

The lists are sorted by most recent occurrence by default. Use the All Time date filter to scope results to a specific time range.

Investigate a Malware Threat

Click on any row in the Malware Threats tab, click the ⋯ action menu, then select View Details to open the Malware Threat Details panel.

Malware Threats tab in the Microsoft 365 Threat Detection dashboard showing a list of OneDrive entities with resolved malware threats, and the Actions menu is highlighted for one entry.

Understanding the Malware Threat Fields

Entity Name: The Microsoft 365 object name of the infected files.
Resource Type: The Microsoft 365 resource type where the threat was found (e.g., OneDrive, SharePoint).
Number of Impacted Objects: Total count of files flagged as malware within the backup session.
Status: The current lifecycle state of the threat, which could be Active or Resolved.
Resolved By: The user who resolved the threat in the Veeam Data Cloud platform. Keep in mind, the resolution of a threat happens off-platform.
Date of Occurrence: The timestamp of the backup session during which infected files were detected.
Note: This represents the date of detection, not the date of actual infection.
Resolved Date: The timestamp when the user clicked "Resolved" in the Veeam Data Cloud platform.

Malware Threat Details window showing information for a OneDrive entity, including resolved status, number of impacted objects, and a table listing infected file names, locations, created dates, and updated dates.

Understanding the Malware Threat Details Fields

Explanation: A plain-language summary of the detection event.
File Name: Name of the infected file.
File Location: Full URL to the file.
File Created Date: Timestamp of when the file was created.
File Updated At: Timestamp for when the file was last modified.
Resolve Button: Updates the status of the threat in the Veeam Data Cloud platform to "Resolved".

Detection Source

Malware detection for Microsoft 365 is powered by deterministic signals from Microsoft's built-in malware detection. This means detection accuracy is consistent with Microsoft's own malware protection layer.

Investigate a Ransomware Threat

Click the Ransomware Threats tab to see detections based on anomalous backup behavior. Ransomware detections are scoped at the site or resource level rather than the individual user level.

Understanding the Ransomware Threat Fields

Entity Name: The Microsoft 365 object name of the infected files.
Resource Type: The Microsoft 365 resource type where the threat was found (e.g., SITE).
Number of Impacted Objects: Total count of files flagged as malware within the backup session.
Status: The current lifecycle state of the threat, which could be Active or Resolved.
Resolved By: The user who resolved the threat in the Veeam Data Cloud platform. Keep in mind, the resolution of a threat happens off-platform.
Date of Occurrence: The timestamp of the backup session during which infected files were detected.
Note: This represents the date of detection, not the date of actual infection.
Resolved Date: The timestamp when the user clicked "Resolved" in the Veeam Data Cloud platform.

Ransomware Threat Details window for the M8 Project site, showing resolved status, explanation of potential ransomware activity detected, and a table with the impacted file’s name, location, and dates.

Understanding the Ransomware Threat Details Fields

Explanation: A plain-language summary of the detection event.
File Name: Name of the infected file.
File Location: Full URL to the file.
File Created Date: Timestamp of when the file was created.
File Updated At: Timestamp for when the file was last modified.
Resolve Button: Updates the status of the threat in the Veeam Data Cloud platform to "Resolved".

Ransomware Requires a Baseline Period

The machine learning model (Random Cut Forest) requires approximately 45 days of backup history per workload to establish a reliable behavioral baseline before anomaly detection becomes fully effective. During this period, detection may be limited. New workloads or newly protected tenants will automatically build their baselines during this window.

More Information

Considerations and Limitations

Opt-in required: Threat Detection must be explicitly enabled per tenant. It is not active by default due to customer consent requirements for AI-powered features.
Microsoft 365 workloads only (current release): Threat Detection currently supports Microsoft 365 (i.e., OneDrive, Teams, and SharePoint).
Malware detection relies on Microsoft's built-in malware detection signals: If Microsoft does not flag a file as malware, the Veeam Data Cloud platform will not independently detect it.
Ransomware detection requires a 45-day baseline: New workloads or tenants will not have full anomaly detection until the machine learning (ML) model has established a behavioral baseline. During the ramp-up period, low-confidence anomalies may not be surfaced.
Ransomware detection is probabilistic: The Random Cut Forest ML model flags statistically anomalous patterns. All detections are labelled as "Potential ransomware activity" and are reviewed by Veeam operators before being marked Active.
File content is never accessed: Both malware and ransomware detection operate exclusively on metadata and behavioral statistics. Backup file content is never read, transmitted, or analyzed by the threat detection service.
False positives may occur: Legitimate bulk file operations (e.g., large migrations, mass rename events, encryption of files by authorized software) may occasionally trigger a ransomware detection. Veeam operators review these events before escalating to Active status.
Data residency: All threat detection data, including file metadata and detection results, is stored in the same Azure region as your Veeam Data Cloud deployment. No data crosses regional boundaries unless explicitly requested by the customer.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

I would like to receive a follow-up email regarding my feedback

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.