Veeam: Ransomware Detection Service for Microsoft 365 Backups

Name: Veeam: Ransomware Detection Service for Microsoft 365 Backups
Uploaded: 2026-06-27T08:09:08-04:00
Duration: 6 min 13 s
Description: Protect your Microsoft 365 data with Advanced Threat Detection in Veeam Data Cloud. In this demo, we’ll show Veeam’s Ransomware Detection Service in action—how it scans backups to spot suspicious behavior early, builds personalized baselines per user/r...

Veeam

06/27/2026

0 (0%)

Report Like Favorite

Transcript

Cloud because Veeam continues to innovate in the cybersecurity space and today we're launching a ransomware threat detection service that runs right inside of Veeam Data Cloud and alongside your backups. Corinne has done a fantastic blog here detailing the sort of launch that we're doing here today so that's available on Veeam.com. I want to take a little bit under the look under the covers show you in the product and see kind of what this looks like. So let's flick over here and look at the detection service first of all. So first of all we run these dual detection engines. We're also looking for malware signatures and other bits and pieces integrating into Microsoft's Defender kind of infrastructure that's hosted within M365 but I really want to hone in on the secret sauce that Veeam has built here around the ransomware detection service. So we run two profiles. Obviously there's a fast attack profile. This is looking for things like unusual ratios of files that have been added, removed, deleted, etc. And normal sort of temporal patterns that are running across your environment and also things like known ransomware artifacts and other bits and pieces. So the fast attack profile obviously is a sudden change to your environment and we detect those types of attacks but we also go a bit deeper. We start building up this sort of extended profile of what normal looks like inside of your environment. So for these more persistent attacks or slower attacks that take a little bit longer to maybe form in your environment we can try and catch those as early as possible inside of your M365 data estate. The neat thing about all of this is it's completely privacy preserving. We're not looking into the actual content of the files itself. We're looking at the metadata and headers and signatures and various different things of the file and we're using a lot of those to feed into this sort of multi-dimensional kind of engine that then determines the probability of it being a potential ransomware event. And the great thing is it's personalized. So we're not taking a global view of what kind of normal looks like inside of your environment. We're actually looking at it on a per user basis or a per resource basis which means we can get really, really detailed and build up a model of exactly kind of what normal looks like for you versus say one of your colleagues who might have a completely different usage profile to you. So under the hood we're using this thing called random cut forest. And so you imagine these dots here representative of one of the things that we're looking at and one of the dimensions. And we actually do the same process for a lot of the other dimensions that we're capturing as part of this ransomware detection engine. So you can imagine we've got some points here and what we'd actually do using this random cut forest technique is we actually start cutting at random points. And you'll see that if it was cut down here, this outlier or this item here was actually isolated in one cut. You imagine we keep cutting through this data set. We keep counting the number of items that fit within that particular cut. And so you can see that this one here down the left hand side took four cuts for it to be isolated. And sort of the TLDR here is that the fewer cuts typically equals a higher anomaly score when it comes to this random cut forest. So we're doing this across lots and lots of data points inside your environment. This is how we're using it across multi dimensions to sort of work out whether or not there's anomaly score and we start adding these up together. And so why this work works is normal backups or these normal dimensions, they form these sort of dense clusters. But ransomware, however, creates these sort of outlier patterns inside of this data set. And so the result really is that ransomware can be isolated very quickly, very efficiently. It doesn't require any training for detection. So we're not again having to go and spin up and build these particular models with a whole heap of training data sets. We're actually able to use this using this unsupervised machine learning method to actually go out and detect these. And so that's really the detection engine at its core. So why don't we flick across now and take a look at what this looks like sort of in the product. So if we flick over to Veeam Data Cloud here, you'll see that this is my dashboard. So this is my Microsoft 365 dashboard. For those of you who have used this product already, you'll be familiar with all these items down the left hand side. But there's a new threats section under management. And so this is the first foray into our threat dashboard here. And eventually we'll actually apply this kind of same methodology to potentially other workloads inside Veeam Data Cloud. So the goal is to move these threats up into a global threat dashboard so you can see that across all of your workloads. But because we're only announcing it for M365 today, it sits within that window. So if you're looking for it, it sits within your particular Microsoft 365 tenant and you can see those threats here. And you can see now I've got this ransomware threats tab here. You can see all of the, you know, resource types or where this was potentially found, what its status is, you know, whether or not it's active or a false positive or resolved. Obviously, you can come in here and click view details and you'll actually be able to scroll through and actually see the exact file location, where it was. You can go and investigate that and then you can either resolve it or close it out completely. And so it's as simple as that. So I'd really urge you to take a further look through Corinne's blog here. It's really good. It details it in a little bit more detail around what I've announced today. And if you are a Veeam Data Cloud user, then go on and see if that tab's there. Make sure you've clicked consent for the AI processing that should have popped up in the last couple of days for you. And that's as simple as that. Really keen to sort of get your feedback, see what you think of this service and look forward to announcing further things around the Threat Detection Service.

TL;DR

Veeam Data Cloud now includes an integrated ransomware detection service that scans Microsoft 365 backups using dual engines for malware signatures and behavioral anomalies
The system builds personalized baselines per user and resource using unsupervised machine learning to detect both fast attacks and slower, extended ransomware campaigns
Detection operates on file metadata and headers only, preserving privacy while analyzing multiple dimensions through a random cut forest algorithm to identify outlier patterns

Summary

Veeam has launched a ransomware threat detection service integrated directly into Veeam Data Cloud for Microsoft 365 customers. The service runs dual detection engines that scan backups for suspicious behavior, combining malware signature detection with Microsoft Defender integration alongside Veeam's proprietary ransomware detection engine. The system operates using two distinct profiles: a fast attack profile that identifies sudden environmental changes through unusual file ratios and temporal patterns, and an extended profile that builds personalized baselines for each user and resource to catch slower, more persistent attacks. Using unsupervised machine learning through a random cut forest algorithm, the service analyzes metadata and file headers across multiple dimensions to calculate anomaly scores without accessing actual file content, ensuring privacy preservation. Detected threats are surfaced in a centralized threat dashboard within the Microsoft 365 tenant interface, where administrators can investigate specific file locations, review threat details, and resolve or dismiss alerts as needed.

Chapters

0:00 - Ransomware Detection Service Launch
0:39 - Dual Detection Engine Overview
2:33 - Random Cut Forest Algorithm Explained
4:22 - Threat Dashboard Demonstration

Key Quotes

0:14 "... today we're launching a ransomware threat detection service that runs right inside of Veeam Data Cloud and alongside your backups ..."
0:52 "I really want to hone in on the secret sauce that Veeam has built here around the ransomware detection service ..."
2:12 "... we're not taking a global view of what kind of normal looks like inside of your environment. We're actually looking at it on a per user basis or a per resource basis ..."

FAQ

Does the ransomware detection service access the content of my Microsoft 365 files?

No, the detection service is completely privacy-preserving. It analyzes only file metadata, headers, and signatures rather than actual file content, ensuring your data remains private while still enabling effective threat detection.

How do I enable the ransomware detection service in Veeam Data Cloud?

The service is available to Veeam Data Cloud for Microsoft 365 customers. You need to provide consent for AI processing, which should appear as a prompt in your console. Once enabled, the Threats section will appear under Management in your Microsoft 365 dashboard.

Categories:

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

06/30/2026

01:00 PM

06/30/2026

Master Active Directory Certificate Services and Maintain Your Edge

https://www.truthinit.com/index.php/channel/2018/master-active-directory-certificate-services-and-maintain-your-edge/
07/01/2026

04:00 AM

07/01/2026

Integrating Security in AI: Automated Red Teaming Strategies for Private Models

https://www.truthinit.com/index.php/channel/1969/integrating-security-in-ai-automated-red-teaming-strategies-for-private-models/
07/01/2026

04:00 AM

07/01/2026

Schutz von KI in Anwendungen, Agenten und APIs.

https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
07/01/2026

01:00 PM

07/01/2026

How to Prevent Your AI from Outsmarting You

https://www.truthinit.com/index.php/channel/2021/how-to-prevent-your-ai-from-outsmarting-you/
07/02/2026

10:00 AM

07/02/2026

Resilience Insights from Hybrid Threats in a Dark Cloud Environment

https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-in-a-dark-cloud-environment/
07/08/2026

02:00 PM

07/08/2026

Understanding the Crucial Role of Context in AI Data

https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
07/09/2026

01:00 PM

07/09/2026

The HUMAN Experience: Empowering Agentic Trust in Practice

https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
07/14/2026

01:00 PM

07/14/2026

Crafting a Championship-Worthy Security Team for Maximum Defense Effectiveness

https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-maximum-defense-effectiveness/
07/21/2026

04:00 AM

07/21/2026

Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
07/21/2026

01:00 PM

07/21/2026

HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
07/22/2026

06:30 AM

07/22/2026

Insights and Strategies from the DPDP Webinar

https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-from-the-dpdp-webinar/
07/28/2026

01:00 PM

07/28/2026

Illumio + Netskope: Zero Trust in the Age of AI Autonomy

https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
07/29/2026

04:00 AM

07/29/2026

Real-Time Strategies for Safeguarding Against Prompt Injections

https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
08/19/2026

12:00 PM

08/19/2026

Get Prepared to Thrive as an Agent in Just 30 Days

https://www.truthinit.com/index.php/channel/2036/get-prepared-to-thrive-as-an-agent-in-just-30-days/
09/30/2026

04:00 AM

09/30/2026

AI Command Center: Optimizing Visibility and Control in Your Operations

https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/