Loading...
Loading...
This article describes how to locate, review, and interpret Malware and Ransomware threat detections surfaced by Veeam Data Cloud (VDC) Advanced Threat Detection for Microsoft 365 workloads. When Veeam Data Cloud backs up Microsoft 365 data, it automatically analyzes each backup for security threats. It then flags infected files (malware) and suspicious encryption patterns (ransomware). Detected threats are surfaced in the Threats section of the Microsoft 365 workload view in the VDC portal.
VDC Advanced Threat Detection runs automatically after each backup job completes. It does not scan file content directly, and detection is based entirely on file metadata, behavioral signals, and machine learning analysis of backup statistics.
Navigate to the Threats View In the Veeam Data Cloud (VDC) portal, select Microsoft 365 from the left navigation panel, and in the Management section, click Threats. The threats page contains two tabs: Malware Threats — A list of users whose OneDrive, Teams, or SharePoint files were flagged as containing malware during a backup session. Ransomware Threats — A list of resources where anomalous encryption activity was detected.
Considerations and Limitations Opt-in required: Threat Detection must be explicitly enabled per tenant. It is not active by default due to customer consent requirements for AI-powered features. Microsoft 365 workloads only (current release): Threat Detection currently supports Microsoft 365 (i.e., OneDrive, Teams, and SharePoint). Malware detection relies on Microsoft's built-in malware detection signals: If Microsoft does not flag a file as malware, the Veeam Data Cloud platform will not independently detect it. Ransomware detection requires a 45-day baseline: New workloads or tenants will not have full anomaly detection until the machine learning (ML) model has established a behavioral baseline. During the ramp-up period, low-confidence anomalies may not be surfaced. Ransomware detection is probabilistic: The Random Cut Forest ML model flags statistically anomalous patterns. All detections are labelled as "Potential ransomware activity" and are reviewed by Veeam operators before being marked Active. File content is never accessed: Both malware and ransomware detection operate exclusively on metadata and behavioral statistics. Backup file content is never read, transmitted, or analyzed by the threat detection service. False positives may occur: Legitimate bulk file operations (e.g., large migrations, mass rename events, encryption of files by authorized software) may occasionally trigger a ransomware detection. Veeam operators review these events before escalating to Active status. Data residency: All threat detection data, including file metadata and detection results, is stored in the same Azure region as your Veeam Data Cloud deployment. No data crosses regional boundaries unless explicitly requested by the customer.
Veeam Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.