Microsoft 365 OneDrive and SharePoint have versioning. Many people consider versioning their disaster recovery solution and don’t utilize a 3rd party backup services for their Microsoft 365 deployments. Microsoft themselves state: “Versioning helps to protect SharePoint Online lists and SharePoint Online and OneDrive for Business libraries from some, but not all, of these types of ransomware attacks. Versioning is enabled by default in OneDrive for Business and SharePoint Online. Since versioning is enabled in SharePoint Online site lists, you can look at earlier versions and recover them, if necessary. That enables you to recover versions of items that pre-date their encryption by ransomware. Some organizations also retain multiple versions of items in their lists for legal reasons or audit purposes.”
You should be paying special attention to the “but not all” part of that declaration. It’s a hint that they understand the versioning system is not foolproof and may be bypassed or exploited.
In June of 2022 that weakness was realized. Proofpoint discovered a potentially dangerous Office 365 functionality that could allow ransomware to encrypt your SharePoint and OneDrive files. Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive | Proofpoint US
External threat actors are only one risk factor. Internal security threats, as well as legal and compliance requirements, should also be considered.
Should something happen to your data, whether it by accident or on purpose, internal or external, Microsoft has an incredibly narrow scope of responsibility. It falls to you to protect the critical business assets you store with Microsoft, and the best way to do that is to diversify your backup and disaster recovery with 3rd party services.
I encourage you to read more about Microsoft’s 365 data resiliency as well as your shared responsibility.
Data Resiliency in Microsoft 365 - Microsoft Service Assurance | Microsoft Docs
Customer and Cloud Partner Enterprise Business Continuity Responsibilities - Microsoft Service Assurance | Microsoft Docs