How Difficult Is It to Remove Ransomware

How Difficult Is It to Remove Ransomware

Ransomware has been a part of the cybercrime ecosystem since the late 1980s and remains a major threat in the cyber landscape today.

Understanding Ransomware Mechanics and Its Short Evolution

The AIDS Trojan was the first known Ransomware attack that encrypted your files and demanded ransom through the postal services over the years, the functionality has been evolving, and it has become more sophisticated.

First, it employed symmetric key encryption, which encrypts data with a single key, however, now most threat actors started implementing asymmetric cryptography, which encrypts files with two keys for added security.

The delivery techniques have also evolved, moving on from the regular phishing email attachments, attackers now take advantage of software flaws and incorporate AI and Machine learning to enhance their evasion capabilities.

Cryptocurrencies like Bitcoin, Monero, and others are now the go-to payment option since they allow hackers to remain anonymous.

Ransomware as a service (RaaS) has made ransomware more accessible to novice attackers, or “Script-kiddies”. Larger organizations are now the target audience, or so we thought.

But attackers increasingly threaten to leak critical material as part of a double-extortion strategy and combine Distributed Denial of Service (DDoS) attacks with ransomware to overwhelm their targets.

Exploring Different Ransomware Types and Their Variances in Approach

As the world evolves, so do the ransomware types and their usage, mostly depending on the goal of the malicious threat actors. In the technology era, the gold standard is information, where the attackers keep their focus and entrapment.

At its core, ransomware is malicious software designed to deny access to a computer system or files until a sum of money (“ransom payment”) is paid. As the end goal varies, so does the approach. Here are some examples of how malicious attackers can infect your systems with ransomware:

  1. Crypto Ransomware (Encryption): The most notable and vicious variant where the attackers encrypt the data on the host or entire organization, demanding payments to be delivered with cryptocurrencies in exchange for the decryption key. 
  2. Locker Ransomware: Another type of ransomware that locks your computer screen, rendering it unusable and restricting access to basic computer functions, accompanied by a popup and message demanding a ransom payment before access is restored.
  3. Scareware: A manipulative type of ransomware intended to trick or frighten the victims into going to particular websites or downloading malicious software. Popup advertisements and social engineering techniques are frequently utilized with the intention of fooling people into downloading or buying dangerous software. An example would be a flash message displayed that your workstation is infected and the attacker suggesting they are here to save the day with their free Antivirus, a classic strategy that unfortunately still works.
  4. Doxware: It involves a process called Doxing, a gathering of personal information about the target and using the scare tactic designed to make the victim feel shameful and disgusted by releasing their personal data. Threat actors breach people’s privacy by getting their hands on private documents and images, which they threaten to make public if a ransom is not paid. This is a more targeted approach, but it could have a wider ‘clientele’ as the target private information includes other potential victims.

Decoding the Mystery Behind Ransomware Removal and Recovery

Ransomware recovery demands a strategic approach, beginning with isolating infected systems to prevent spreading across the network. Simultaneously, it is crucial to discern the specific ransomware variant in play, a critical step as this information guides further steps and the search for customized decryption tools or focused solutions.

After identifying the malware, the eradication process may start, however, before complete removal, it is very wise to back up any essential data to protect against any unforeseen complications.

The employment of reputable antivirus or anti-malware ransomware software, updated to the latest definitions and signatures, becomes pivotal at this juncture, serving as a frontline defense mechanism.

Should circumstances permit, restoring the system from a meticulously maintained and uncontaminated backup stands out as a robust remedial measure.

Sustaining a proactive stance, keeping software and security patches current, educating users on Security Awareness Training, the ins and outs of phishing threats, and, where necessary, seeking professional cybersecurity assistance, complete the comprehensive ransomware removal strategy.

The dynamic nature of cybersecurity activities is highlighted by a post-removal phase marked by persistent monitoring for residual risks that could still bring the organization to its knees. Prioritizing prevention through regular backups and raising cybersecurity awareness is crucial for defending against the constantly changing ransomware threat scenario.

How to Select the Right Approach for Ransomware Removal and Preventative Measures

Ransomware removal is never guaranteed, and the best defense is, being able to focus on your preventative measures. Timing is of the essence when this type of malware gets into your system, and it is crucial to have continuous monitoring properly deployed.

  • Do not pay the ransom – Paying does not guarantee that threat actors will return your files, and even if they do, there is no certainty that they haven’t made a copy and use it for further agenda 
  • Isolate the infected systemsThe first step when there are indicators of ransomware compromise is disconnecting the affected hosts from the network to minimize and control the spread further to other devices and systems 
  • Identify the ransomwareRecognizing the variant helps combat the ransomware, what common locations it resides in, and any remaining infection it may occupy. Using shared intel within the security community could also lead you to a decryption tool (that may or may not exist) 
  • Knock, knock. Whos there? Identify the attack sourcesThis sounds counterintuitive, but if you can identify the attack source, it could be a piece of very useful information to defend yourself from a repetitive infection by taking proper measures, as backups are useless if you close the door again, unlocked.

Steps to Take If Your Email Security Has Been Compromised

MGM Resorts

The notorious ALPHV (BlackCat) crew has unleashed a ransomware attack on MGM Resorts, causing significant havoc that disrupted the website, casino functions, and essential systems such as email, reservations, and digital room keys, plunging MGM’s operations into disarray.

This breach, initiated by social engineering, underscores the escalating risks faced by major enterprises. It’s particularly alarming as it follows a previous security breach at BetMGM, a branch of MGM Resorts, where hackers absconded with data from 1.5 million clients.

In a parallel episode, Caesars Entertainment faced a similar hacker incursion but swiftly recovered by ponying up a substantial ransom.

LockBIT 3.0

Among the prominent players in today’s ransomware arena is the feared LockBit 3.0. This group creates and distributes LockBit ransomware, operating under the ransomware-as-a-service (RaaS) model.

This setup implies that LockBit 3.0 collaborates with affiliates who deploy the ransomware in attacks, with both parties sharing the financial gains.

Affiliates of LockBit employ spearphishing and phishing techniques to penetrate victims’ networks. LockBit group ‘Customers’ acquire and misuse login passwords of active accounts in order to obtain first access, and while LockBit 3.0 is running, the malware executes commands like batch scripts to run malicious commands.

LockBit 3.0 has a global reach, orchestrating impactful cyber attacks on businesses spanning public and commercial sectors. Renowned for their cunning tactics, the gang employs diverse channels to distribute malware, including phishing emails and exploit kits.

What sets them apart is their triple-extortion approach, where they encrypt victim data, threaten public exposure, and engage with partners or customers. Balancing sophisticated techniques with human-centric exploits, LockBit 3.0 remains a formidable force in the cybersecurity arena.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service and Advanced Threat Protection to secure your critical data.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.


To wrap it all up, ransomware is a category of computer infection. It is employed to trick people into making payments. This typically indicates that the ransomware has encrypted your data and requests payment to unlock them. The best course of action is to prevent getting infected and make strong backups of your files in case you do get infected. Depending on how sophisticated the virus is, there might not be a method to get around this.


Can ransomware be deleted?

Removing ransomware from a system is more complex than deleting a regular file. Caution is essential, and paying the ransom is strongly discouraged as it doesn’t guarantee file recovery and may support criminal activities. Prevention, regular backups, and updated security software are vital for protection against ransomware attacks.

What tool removes ransomware?

Keep in mind that no tool can ensure that every ransomware variant has been completely removed and that the effectiveness of a tool can vary based on the particular ransomware strain. Furthermore, proactive defense, timely security software updates, and a solid backup plan are essential to exhaustive ransomware protection.

Is ransomware difficult to remove?

To remove ransomware, think about performing a factory reset on affected systems once you’ve located and isolated them. Paying the ransom is discouraged as removal is never guaranteed, and you only look weak in the eyes of the attackers, making you a recurring target. Rather, prioritize creating a thorough incident response strategy that includes instructions for security partners, how to isolate assaults, and how to record important attack logs for forensic analysis. To guarantee a backup of crucial data, keep up a robust backup management program and evaluate risks regularly. Your organization’s defenses against prospective cyber threats are strengthened by advance planning and abstaining from ransom payments.

Can ransomware be solved?

Ransomware can be solved depending on the variant, your organization’s preparation, and your incident response plan. It is very important to have proper security awareness training and exercises to prepare you for this event, as time is valuable once you become a victim. Tabletop exercises, communication with other security professionals, and intelligence sharing will only boost your chances of fighting this attack. Preparation is key, as it is not an ‘if’ issue but a ‘when’. Ransomware can be solved depending on the variant, your organization’s preparation, and your incident response plan. It is very important to have proper security awareness training and exercises to prepare you for this event, as time is valuable once you become a victim. Tabletop exercises, communication with other security professionals, and intelligence sharing will only boost your chances of fighting this attack. Preparation is key, as it is not an ‘if’ issue but a ‘when’.

How to Avoid an Email Security Breach

How to Avoid an Email Security Breach

Email is still the most important communication channel. More than 300 billion e-mails are sent and received every day. According to forecasts, this figure will increase to almost 400 billion a day by 2026.

Hackers know this and are constantly targeting companies, infecting them via email with various types of malware or phishing attacks. But this only happens when companies have poor security hygiene and fail to provide ongoing employee training.

As an example, in 2019, healthcare organization NHS Highland inadvertently disclosed the health records of 40 HIV-positive people by sending an email via CC rather than BCC. This was considered an email security breach.

This article is about email security breaches and how to avoid them using best practices and Hornetsecurity’s email security services.

We all want to stay ahead of a malicious email leading to a compromised business. Don’t we!?

Understanding Email Data Breaches and the Importance of Email Security

A data breach is data loss or data compromise due to inadequate security measures or human error.

Malicious actors are targeting our infrastructure using various techniques such as malware, phishing, and social engineering. In most cases, these attacks are carried out via email. The hackers try to trick us into opening links or attachments that give them access to our infrastructure and data.

Even if we have the most advanced security measures and systems in place, this is of no use if our employees are not trained in the correct handling of devices, emails, and data.

The first target of most cyber attacks is people. Attackers use our human psychology against us, our willingness to help others or our lack of understanding of the risks involved in email attacks.

The introduction of strong email security measures and employee training reduces the risk of being hacked.

Notable Examples of Massive Email Data Breaches

There have been several data breaches in the last decade. We will not go into all of them, but we will mention a few major data breaches.

In August 2013, Yahoo was attacked by a hacker group. Over 3 billion email accounts were compromised.

In 2018, hackers gained unauthorized access to Aadhar, the largest ID database in India. Over 1.1 billion Indian citizens were affected by this data breach, including their data such as names, addresses, photos, phone numbers, emails, and biometric data.

In July 2019, hackers gained access to over 100 million accounts hosted by Capital One. The hackers stole credit information affecting around 100 million people in the US and around 6 million accounts in Canada.

In June 2021, LinkedIn discovered that 700 million of its user accounts had been exposed to the dark web. This was the largest data breach the company had experienced.

There are dozens of other data breaches that can be traced back to inadequate security measures. 

Exploring Vulnerabilities Stemming from Weak Email Security

Weak email security can expose company data and vulnerabilities. Weak email security is related to weak passwords, lack of multi-factor authentication, lack of security measures against phishing and spam, lack of email encryption, lack of email security policies, lack of ongoing training, and others.

Even failing one of these can damage the integrity and reputation of a company and put it in financial difficulties.

Where there is weak email security, there is plenty of scope for attacks and email security breaches. Attackers can easily penetrate our network and exploit vulnerabilities from the physical to the application layer to attack our unpatched systems, unencrypted storage, unpatched systems, and others.

To minimize the risk, companies should invest in robust email security measures.

Recognizing Signs of a Hacked Email Account

If you suspect that your email account has been hacked, there are several signs you should look out for. Please note that these signs, especially if they are suspicious activity (they could be you), are not always proof that your account has been hacked, but they should trigger an alert to check it out.

There are two possible scenarios. Your account has been hacked and you can no longer use it, or your account has been hacked and you can still use it.

In the first case, hackers have compromised your email account and data and changed the password.

You have tried several times to re-enter your web or email client password, but it does not work. If you have been authenticated in the Outlook client application, you are prompted to re-enter your password. You have probably been hacked.

In the second case, the hackers have compromised your email account but have not changed your password. If you have configured this, you should receive a notification about unusual or suspicious activity in your email account.

Email accounts have a security service that sends emails directly to you or your alternate email address when suspicious activity is detected.

These activities may include notifications of unauthorized access from unusual IP locations or devices, password change notifications, unexpected password reset emails, changes to account information, and unknown devices connected to your email account.

You should always pay attention to these notifications, even if you think it’s not a sign of malicious activity. For example, if you were logged into your email in Germany, then traveled to the US and continue to use your email, your email service will trigger a notification of a new sign-in activity from a different country.

In this example, we see that someone tried to log into my email account from the US and an unknown location, and it wasn’t me.

Email Sign-in activity

Email Sign-in activity

Additionally, if your internal or external colleagues are receiving spam or phishing emails from your account that you did not send, your account is likely compromised.

Note that sometimes an email may appear to be from you, when in fact it was sent from a different email address and merely uses your email addresses as “cover” to make it more likely to slip through defenses.

Check if there are any suspicious emails in the “Sent” folder or if there are any forwarding rules in place to forward emails from your account to a third party’s email address.

Steps to Take If Your Email Security Has Been Compromised

If you are an IT Administrator and you notice in the breach list that some of the emails within your organization are breached, you need to take immediate security measures and inform affected parties.

First and foremost, change the email password and implement (MFA) multi-factor authentication. If you are an end-user and find that you can no longer log in, report the incident to your IT team immediately.

Different security measures to secure your email account

Different security measures to secure your email account

Check your account settings to see if they have been changed. Since many apps are registered to a specific device or you, check the apps and devices associated with your email account. If you notice any unknown devices, block them immediately.

Also, check account activity and see where you have logged in or tried to log in without authorization.

Malicious people could be sending emails to your contact list. You should check your folders for sent, received, and deleted emails. Also make sure that your contact list is informed, as they may have received emails from you that originate from malicious people.

Scan your computer and network for malware and viruses.

Once you have found the root cause and taken the measures mentioned, you should find out what caused it, document it, and strengthen your security measures to prevent it from happening again.

How can you do this? Read the section below on Hornetsecurity.

Strategies for Organizations to Mitigate Simple Email Mistakes

One of the most common email errors is incorrect delivery. That is, when you accidentally send a confidential email with or without attachment to the wrong external email contact.

One of the ways to alert employees when the company sends email notifications is through external email notifications. Microsoft 365, for example, offers you the option of activating external email alerts. If you send an email to an address outside your company, you can see the warning as a precautionary measure.

External Email Warning Message Microsoft 365

External Email Warning Message Microsoft 365

Another example of incorrect delivery is the improper use of CC and BCC email fields. In 2019, representatives from the healthcare organization NHS Highland sent emails to nearly 40 HIV-positive people, publicly exposing them and breaching confidentiality.

What did they do to publicly expose them? They sent an invitation to a support group run by a health clinic, using the CC and not the BCC (Blind Carbon Copy) email field. For the sake of sharing, with CC all recipients are visible to everyone, whereas those who are BCC’ed are not visible to anyone.

Another mistake is not recognizing spam. Spam is an unsolicited advertising message that. Phishing emails on the other hand are malicious emails, either with links to malware or some other dangerous site, or malicious attachments. Users should be trained to recognize these and report them immediately to the IT department.

How can you mitigate these simple email mistakes? By providing continuous security awareness training and challenging users’ actions.

Additionally, use email filtering and security detection to block malware, spam, and phishing attacks before they land in your user’s inboxes.

Reducing the Risk of Email Data Breaches: Best Practices

Security is a shared responsibility. It is the organization’s responsibility to implement security measures and training on security, and it is the end users’ responsibility to follow them.

First and foremost, make sure you have a strong password culture. That means enforcing various password policies within your organization. These policies include password complexity, password length, minimum and maximum password age, password history, password lockout, and others.

For example, the password’s complexity determines which characters should be included in it, while the length determines how long it should be. If you apply these two policies to your email accounts, you can get a password with at least 12 characters, including upper and lower case letters, numbers, and symbols.

As far as password guidelines are concerned, you should never use the same password for multiple accounts. If one is hacked, so can all the others. Also, never use personal information in your password.

Using a strong password is not enough. You should implement MFA (Multi-Factor Authentication). With MFA, you must confirm your identity via SMS, app, or biometric data. If a hacker were to hack your password, they would be unable to successfully log in if they do not have access to your phone. MFA is a must. Not an option.

Hackers use social engineering and phishing to trick you and gain access to your computers. How can you fight them? With solutions like the Hornetsecurity Security Awareness Service, you can also simulate phishing attacks and create sophisticated phishing emails that train users to spot suspicious emails. With this service, you can target everyone from entry-level to C-level.

Phishing attacks will still come after the training. You should implement email security measures that recognize and block phishing attacks in time.

You can find out more about preventive phishing measures in the section Protect your brand with Hornetsecurity: The role of email security.

There are other practices that are a variation of what we mentioned above.

Protect Your Brand with Hornetsecurity: The Role of Email Security

Hornetsecurity offers you a range of tools to strengthen your email security and mitigate email data breaches. These include advanced threat protection, spam and malware protection, and email encryption.

Advanced Threat Protection

Advanced Threat Protection protects your organization from advanced cyber security attacks and threats such as ransomware, phishing, and more. This is very important protection as malicious individuals and groups target organizations with malware such as Emotet, Tribot, GandCrab, and others. The easiest way to send them is via email.

We are trying to make our lives easier by providing everyone with a QR code to download or access a specific website. It’s easier to scan it than to type it in. Isn’t it? Very often hackers put links that direct you to a malicious website to download or simply access a link.

Advanced Threat Protection offers a QR Code Analyzer that analyzes QR codes and checks if they are malicious, in which case the email is blocked accordingly.

QR Analyzer

QR Analyzer

Advanced Threat Protection protects you against blended attacks that are combined into a single email attack. Blended attacks include different types of malware such as viruses, spyware, spam, and phishing.

Hornetsecurity uses various technologies to protect you from email attacks, including sandboxing, freezing, safe links, URL scanning, real-time alerting, and ex-post alerting.

A strong alliance against all methods of attack

A strong alliance against all methods of attack

The sandbox engine scans the attachment in an isolated environment and checks for malicious activity. If the document is malicious, the file is quarantined, and the IT Security team is notified. If a file cannot be classified as malicious, but seems suspicious, Hornetsecurity freezes it for a short period.

Advanced Threat Detection also helps you to scan links before you open them. If you receive attacks such as PDF or Word documents and they contain links, the URL scanning engine can scan them without compromising the integrity of the document.

When an attack occurs, Advanced Threat Protection sends a real-time alert and informs you accordingly. It also supports ex-post alerts to inform you about emails that have already been delivered and are subsequently classified as malicious. It’ll even reach into user’s mailboxes and delete malicious emails that have already been delivered.

Email Security

Hornetsecurity email security offers you a powerful spam filter and protection against malware. According to our research, 50% of the world’s email traffic is spam. Email Security offers the highest detection rate on the market, with 99.9% guaranteed spam and virus detection.

It protects you from DDoS attacks and phishing emails.

It also supports informal filtering, data traffic encryption, link tracking, phishing filters, automatic virus signature updates, outbound filtering, bounce management, dynamic virus outbreak detection, and multi-level spam detection.

In 2023, Hornetsecurity processed in excess of 45 billion emails which provides a unique opportunity to identify emerging threats and critical vulnerabilities, reveal important trends and can make informed projections for the future of Microsoft 365 security threats, enabling businesses to act accordingly. Read more in our Cyber Security Report.

Hornetsecurity spam filtering and malware protection can be integrated into the email management system. Ask about Spam Filtering and Malware Protection now.

Email Encryption

Email encryption enables the encrypted exchange of emails. This is extremely helpful when exchanging sensitive data and attachments. If a hacker intercepts them, they can read them.

It supports all standard encryption technologies including S/MIME, PGP and TLS. It takes minimal effort to manage encryption, user certificates and encryption policies.

Email encryption includes the following features: Testing option for encryption suitability, automatic digital signing & encryption of outgoing emails via S/MIME and PGP, automatic certificate management & key storage, individual setup and definition of encryption policies, personal email certificates, confidential communication via Websafe, and others.

You can read more here Encrypted email – secure email with PGP, S/MIME, TLS Email Encryption.

You can also opt for email compliance and productivity tools for email archiving, signatures and disclaimers, and continuity services.

Security Awareness Service

According to the World Economic Forum, 95% of all cyber security incidents are caused by human error. One of the types of human error is clicking on suspicious links and attachments in phishing emails. Hornetsecurity has developed a solution that simulates realistic phishing emails and is aimed at everyone from entry-level to C-level.

The solution is called Security Awareness Service. It is a fully automated awareness benchmarking, spear phishing simulation, and e-training to raise awareness and protect employees from cyber threats.

It offers an ESI (Employee Security Index) that continuously measures and compares the security behavior of employees throughout the company. Based on the target group in your company and their ESI index, you can develop a customized training course that is tailored to their needs.

Weekly, monthly, or however you like, you can trigger phishing emails and test your employees’ phishing detection skills.

This way your network stays safe.

To properly protect your cyber environment, use Hornetsecurity Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


Email security breaches let malicious individuals or groups access your company data. This happens due to inadequate security measures and a lack of security awareness.

Hackers attack companies through emails by using social engineering and phishing attacks. The idea behind these two attacks is to trick people into opening malicious links and attachments in email in order to gain access to their data. It is one of the most common malicious methods.

Another way for hackers to gain access to emails is if organizations or companies use weak email security. This indicates weak passwords, lack of multi-factor authentication and inadequate email security software.

Security is a shared responsibility between IT teams and employees. IT teams should implement strong email security measures and enforce policies, and employees should follow them.

This article covered email security breaches, how they occur, and what users and organizations can do to prevent them. It also demonstrates the power of Hornetsecurity’s email security solution.


What is an email security breach?

An email security breach occurs when hackers gain unauthorized access to our data and make it publicly available or use it to attack us. This hurts the integrity of our data and the availability of email communication. This happens due to cybersecurity attacks, phishing, and inadequate security measures in companies.

What happens if your email is breached?

If your email is breached, your organization can get into serious problems. Malicious people get access to your data, they can expose them publicly, inject malware and disrupt business operations.

Can I check if my email has been hacked?

If your email has been hacked, the hacker will probably change a password and you will no longer be able to log in. The second scenario is that your email has been compromised, but you can still use it. Email security services can trigger a notification of unauthorized access from a third-party IP or location in this case.

Can I check if my data has been breached?

You can check whether your email, and therefore your data, has been hacked. There are various services that you can find online to check whether your email is in the hacked database.

Email Threats in 2024 Are Evolving – How Advanced Threat Protection Keeps Your Business One Step Ahead of Attacks

Email Threats in 2024 Are Evolving – How Advanced Threat Protection Keeps Your Business One Step Ahead of Attacks

The most common way that criminals gain access to your business is through malicious emails. This is often a phishing email, asking the recipient to change their corporate password with a link to a site, or to approve a parcel delivery, or in what’s becoming more common, scan a QR code on your phone to access a business application.

These risks are all real, and they are used to compromise businesses every day.

To make sure your business isn’t the next one in the headlines for all the wrong reasons, you need a strong and layered defense, that adapts and evolves with the ever-changing threat landscape.

In this article we’ll explore how Hornetsecurity’s email security services seamlessly integrates with your Microsoft 365 email services and protects you from simple, volume-based threats with smart tech, keeps you safe from advanced attacks such as spear phishing with Advanced Threat Protection (ATP), safeguards your users from malicious QR codes out of the box and if all of those layers fail, trains your users to spot and report malicious content.

We’ll go deep on ATP, without revealing details criminals can use to bypass your defenses.

Two Ways to Integrate With Exchange Online

There are two technical approaches to layer email security on top of Exchange Online in Microsoft 365:

  1. The first involves changing the Mail eXchanger (MX) records for your email domain (“”) in the internet’s Domain Name System (DNS) to point to our service. All incoming mail will pass through our services, providing a clean feed to your user’s inboxes.
  2. The second method is creating an application in Entra ID (formerly Azure Active Directory, AAD), the identity platform underlying Microsoft 365 and giving it specific permissions to the Graph Application Programming Interface (API) that exposes user mailboxes. This second approach allows additional flexibility, such as the ability to reach into user’s mailboxes after an email has already been delivered and deleting it, if the system has determined that something was missed in the original delivery scan and the email is now identified as malicious.

Hornetsecurity applies both methods, combining the best of both worlds for unsurpassed protection.

Dealing With Low Hanging Fruit

In our 2024 Cyber Security Report we saw that out of the 45 billion emails we scanned in 12 months, 36.4% were categorized as unwanted. That’s over a third of all emails that you want to keep out of your user’s inboxes. Out of that third, 3.6% were flagged as malicious.

Clearly you need a fast system to deal with the vast amount of junk quickly, which we do at the blocking phase, weeding out connections from known bad email servers, and traffic from known bad senders.

We have a 99.9% guaranteed spam detection and 99.99% virus detection, using 18 independent virus and phishing spam filters, and we scan both incoming and outgoing emails for spam, malicious URLs and viruses.

Hornetsecurity ATP - Stay ahead of email threats

Sometimes an email bounces, meaning it’s sent back as the address is unknown (or accidentally mistyped) which is useful for the sender to know. However, sometimes you get bounced emails because an attacker used your email as the sending address, we filter out these fake ones to protect against backscatter and bounce attacks.

It’s an Arms Race

The above services deal with most of the incoming undesirable and malicious emails. However, attackers spend a lot of time and effort changing their attack methods to bypass email filters. This is where ATP comes in.

One popular option is attaching an encrypted document to an email. Normally anti-malware engines can’t scan these and so might miss a malicious file, ATP uses Malicious Document Decryption to protect against this.

QR codes in emails is an attack type that’s gained momentum in the last few months, partly because QR codes are now such a normal part of life (restaurant menus, paying for car parking etc.), and partly because it moves the attack from the (often) corporate owned and managed PC to a user’s personal phone.

It neatly bypasses all the protections in place on the computer and the URL in the QR code often leads to a familiar looking login page. ATP has had built in QR code scanning for common file types (GIF, JPEG, PNG and BMP) for over a year.

ATP has many layers of protection such as the Sandbox Engine, which will open all attached files, identifying malicious attachments and if they are, the email is quarantined.

The Sandbox Engine looks at if the attached files show signs of detecting that they’re running in a VM or a sandbox, which is a dead giveaway that it’s malicious. It also uses a file system monitor to see if the attachment writes or alter files, a process monitor to see if the file starts a child process (popular in malicious Adobe PDF files).

There’s also a registry monitor to spot unusual values being stored in the registry (often used for persistence when the PC is restarted) and network monitoring to see if the document is trying to communicate with an endpoint on the internet, another unusual behavior for a document.

Memory is inspected from a forensic point of view (again, documents accessing memory in unusual ways is a strong indication that it’s malicious). Tying it all together is a Machine Learning engine that looks at the above signals, and over 500 indicators, and separates malicious files from benign ones with very high accuracy.

Freezing is another approach, if an email is suspicious, but not clearly classified as bad yet, it’s held back for a short time. New data may lead to a positive identification of a virus attachment for example.

All links in emails (URLs) are rewritten with a link to our secure web gateway, and scanned both when the email is received and when the user eventually clicks on it.

To work around this, attackers often include the links in attached files, which can’t be rewritten (it would alter the integrity of the document), but our engine still follows these links to verify if there’s any malicious payload on the target end.

One very important feature of cyber security tools is to let you know when bad things are afoot, and ATP provides real-time alerts when your organization is under a targeted email attack.

A related feature is Ex-Post alerts: if emails that have already been delivered are subsequently identified as malicious your IT team is notified.

As mentioned, these emails can be automatically deleted, but the user may already have clicked a link, or opened an attachment, so your response team might want to investigate these user accounts / devices further.

Human beings are still the weakest link, and our psychology is used against us when attackers employ social engineering tactics.

Our Targeted Fraud Forensics uses automated fraud attempt analysis and intention spoofing recognition to detect and prevent social engineering attacks.

It looks at the language of the email, looking for patterns that indicate malicious intent, espionage attacks, or if the text presents false facts to get the recipient to respond, as well as spotting forged sender identities.

Sending to the Right Recipients?

Another feature that’ll assist your overall email security posture is AI recipient validation, which will warn you if you’re including an unintended recipient, or if you’re missing a recipient that should have been included.

It’ll also warn you if the email contains sensitive information, like Personal Identifiable Information (PII), inappropriate wording or if you’re replying to a large distribution list. This analysis is done locally in the Outlook client, no data is sent to our service.

Of course, there’s a dashboard for administrators to see what warnings the users had, and what their response was, and an admin can also disable particular warning scenarios, exclude users from different warnings, and add external domains to be treated as internal ones.

Improving Your Human Firewalls

No protection system is completely foolproof, there will be times when a malicious email sneaks through your defences, at least temporarily, and this is where training your users is vital.

Many other services for this take a lot of administrator time, planning, scheduling, and following up with the users who fell for the simulated phishing attacks. Hornetsecurity’s Security Awareness Service is different, and is mostly set-and-forget.

Each user is tracked with an Employee Security Index (ESI), users who rarely click on simulated malicious links or attachments aren’t bothered with simulations, whereas repeat offenders receive more simulated attacks, as well as short, relevant video training content.

It also uses gamification to increase engagement amongst your users.

Stay ahead of the evolution of email threats in 2024 with Advanced Threat Protection from Hornetsecurity. Protect your business and your employees against sophisticated attacks. 

Don’t wait any longer; protect your email with Hornetsecurity and ensure the resilience of your digital assets.


Email is the most prevalent vector for attackers to compromise your users, and then used to further infiltrate your systems.

A comprehensive email hygiene service must deal with the easy threats, mass mailed spam and phishing, as well as advanced threats such as spear phishing and targeted email lures.

Hornetsecurity’s spam and malware filters, combined with Advanced Threat Protection, is the best defence. Add in the additional services such as AI Recipient Validation, along with Security Awareness Service and you have a winning combination.


How does Hornetsecurity's Advanced Threat Protection (ATP) detect malicious documents?

ATP uses malicious document decryption, a sandbox engine and a machine learning engine to inspect file behavior, registry changes, network communication and memory access, achieving high accuracy in distinguishing malicious files.

What happens if an email is suspicious but not clearly identified as malicious by ATP?

Suspicious emails are temporarily held back using a freezing approach. During this time, new data may lead to positive identification, and all links are scanned through Hornetsecurity’s secure web gateway before being delivered to the user.

How does Hornetsecurity's Security Awareness Service engage users in training without extensive administrator involvement?

The Security Awareness Service employs an Employee Security Index (ESI) to track user behavior. It automatically tailors simulated attacks and video training content based on individual responses, utilizing gamification to enhance user engagement with minimal administrative effort.

What Are Email Data Leaks and How to Prevent Them

What Are Email Data Leaks and How to Prevent Them

According to our research published in Cyber Security Report, email continues to be the primary communication channel for many organizations, with over 333 billion emails sent and received daily. Based on projections, that figure will increase to almost 400 billion daily by 2026.

This means that more cyber-attacks are being spread via email. While it may seem like a simple thing, we need to make sure we know how to use email properly, what we’re sharing and who we’re sharing it with.

This article is about email leaks and how to prevent them.

What Is Data Leak? Why Do Data Leaks Happen?

A data leak is when sensitive data is exposed to someone(s) not authorized to see it. Data leaks can occur for two reasons: cybersecurity attacks and inadequate security measures.

Sensitive data includes Personal Identifiable Information (PII) and business data such as project plans, financial details, software code, and other similar types of data.

Personal Identifiable Information (PII) is any data that can be used to identify someone such as their first and last name, email address, phone number, passport number, driver’s license, social security number, and other personal information.

Malicious Methods That Cause a Data Leak

Attackers use various malicious methods that cause data leaks. Individuals or groups employ various methods to trick end users into gaining access to their data. Three common methods are phishing attacks, malware attacks, and brute-force attacks.

Malicious Methods That Cause a Data Leak

Phishing mail attacks are one of the most common malicious methods we see nowadays. According to our Cyber Security Report, almost 40% of attacks are delivered via phishing mails. We often see viruses or other types of malwares integrated into different file types, including Word, Excel, PDF, and archives.

Hackers develop sophisticated emails that look like the real thing and trick you into opening malicious links or attachments to gain access to your network. Phishing attacks are used in combination with social engineering to trick people into revealing their sensitive data by impersonating people.

Phishing attacks are carried out via email, SMS, voice and QR code scams.

Malware is a second method attackers use to try to penetrate your network. It is a broader term that covers various malicious software. This includes viruses, trojans, worms, ransomware, spyware, adware, keyloggers and more. According to our Ransomware attacks survey, 1 in 4 (23.9%) IT professionals say their organization has been the victim of a ransomware attack.

The best protection is Endpoint Detection and Response (EDR) on end user devices, strict firewall rules and security solutions that block internal and external malicious activities. You can read more about malware attacks here Malware vs. Viruses: Understanding the Threat Landscape.

In third place is a brute force attack. In such an attack, your username (email address) is loaded into brute force software, which then attempts to guess a password based on various password combinations stored in dictionaries. Dictionaries can be found for free on the Internet. The best practice here is to have a strong password and use multi-factor authentication.

Poor Security Practices That Cause Data Leaks

There are various reasons for data leaks.

First and foremost is a poor security culture. Your credentials are the first layer of attack. Never use weak passwords to protect your online accounts. If you are an IT administrator, you should enforce a password policy that prevents the use of weak passwords. You can read more in the next section.

When you log in with your account on a shared computer in your company or in public, always make sure that you have logged out. If you don’t and someone else, hypothetically a malicious person, gains access to your email, it could lead to a data leak.

If you are staying in a hotel or your favorite cafe, you should be very careful about which Wi-Fi network you use. There are many scenarios where a malicious person will try to eavesdrop on traffic on an open network.

The best thing to do is to set up a mobile hotspot and use the internet via your cell phone. You can also train your users to use a VPN for every connection, although this does carry the risk that a user might forget to use it on an untrusted network.

An inadequate security measure may also be that someone has unintentionally sent an email to the wrong external email address (misdelivery). Even a second of unintentional action can lead to significant problems for us.

This happens when a user accidentally sends sensitive information to the wrong email address. According to Verizon Data Breach Report 2022, there were 715 incidents, 708 with confirmed data disclosure, that compromised personal, medical, financial, and other data. 

Double-check to whom you are sending your email.

If you are using a bad password or a single password for more than one account, please change it immediately. Each account should have a different strong password. Now you are probably going to say how to memorize it!? You don’t need to see below.

Other bad practices usually relate to infrastructure and inadequate policies. You can find out more about this in the section “How to prevent data leaks”.

The Dangers of Bad Password Hygiene

Despite cybersecurity experts and companies advocating for a strong password culture, passwords in many organizations continue to be the weakest link. According to the Specops Breached Password Protection list, there are 2 billion breached passwords, and that number is increasing daily.

It is the responsibility of IT teams to enforce password policies in companies. This primarily includes the use of complex passwords with lower and upper-case letters, numbers and special characters.

Different security solution providers give different recommendations on the number of characters a password should have. The general rule of thumb is that more characters are better. Do not use less than 12 characters.

In the past we often enforced frequent password changes (every 30 days was popular). This has proven to be counterproductive, and both NIST in the US and GHCQ in the UK now recommend not to enforce frequent changes.

This just leads to people picking easier passwords and attaching the number or the name of the month to the end of their passwords for example.

You should also introduce a password history policy to prevent the reuse of old passwords. According to an Online Security Survey conducted by Google, 65% of people reuse their passwords. This is a major security issue.

In addition, you can introduce other password policies such as lockout policies, disabling accounts that are not being used, introducing multi-factor authentication (MFA), assessing password strength, monitoring account access, introducing SSO and others.

The bottom line is that today, just using a username and password for identifying a user isn’t adequate, wherever possible you must use strong authentication such as MFA, including phishing resistant MFA such as FIDO 2 hardware keys, or biometrics such as Windows Hello.

These measures stop 98%+ of all identity-based attacks.

One of the most common mistakes of poor password hygiene is sharing login credentials via email. Imagine if someone were to gain access to your email and find your password? This would mean that a malicious person would be able to compromise your integrity and your data.

Implement Password Managers

Don’t write down your password on sticky notes, notes or anywhere else. It’s best to use a password manager and store your passwords in secure and encrypted password vaults. Whenever you need your password for a service or device, log in to your password manager, copy it and then enter it.

Password Managers also provides you with extensions for your favorite browsers that allow you to retrieve your password when you need to log into your account.

This practice benefits users at all levels, from end users to IT administrators who manage many different systems.

What Should I Do if I Find My Address in an Email Leak?

If you find your address in an email leak, you should immediately change your password. A new password should follow the policy introduced in the previous section.

What Should I Do if I Find My Address in an Email Leak?

Use Password Managers to store your password, don’t store it written or printed on paper, stored in .txt or any other files on your machine, or shared via email. Password Managers are designed to do it most securely.

In case of email leaks that happen in organizations, you should inform relevant stakeholders and check if there were any suspicious activities done on affected services.

Note: Do not ignore security breach notifications, ignoring would put your account and data at risk.

How can I know if my account was leaked?

According to haveibeenpwned, as of November 2023, there are over 12 billion accounts leaked. If you want to check if your email or account was leaked, navigate to, enter your email address, and click Pwned?

You can also subscribe (for free) to get notified when future pwnage occurs and your account is compromised, there are also options for organizations to monitor their entire email domain, instead of just individual accounts

';--have I been pwned?

How To Prevent Data Leakage

From an IT management point of view, you should introduce access control and define who is allowed to do what. One of the most important measures is to introduce access control with minimum authorizations.

Your data should be encrypted regardless of where it is stored, both in transit and in storage. Even if a malicious person gains access to the data, they cannot read it.

Security is a shared responsibility. Make sure that you implement strong security protection on your network and endpoints and that your employees are trained in handling the data.

In addition, you should ensure continuous monitoring and logging of all activities that take place internally or externally on your services.

Please note that data leaks are not a one-off event, but an ongoing process that requires strong technology and employee awareness.

Many websites or client–server communications do not use TLS (SSL) certificates. This means that the communication between you and your server is in plain text and can be intercepted and read by a criminal.

Make sure that your website uses certificates, that communication is encrypted and that you renew them on time. Better yet, automate the process using a service like letsencrypt which not only ensures your certificates are renewed on time, but also offers free certificates. 

Make sure your infrastructure is always up to date at the physical and application level and patched with the latest updates. If our systems are not patched with the latest security updates, this poses a major security risk that can be exploited by attackers to gain access to our network.

To maintain security measures, you should apply compliance regulations and industry standards to prevent data breaches. Some of the factors that can lead to a data leak are shadow IT, poor data processing practices, lack of encryption, poor BYOD (Bring Your Own Device) practices, inadequate employee training and others.

How Hornetsecurity Can Help You Stay Protected Against Data Leaks

According to the World Economic Forum – The Global Risks Report 2022, 95% of all cyber security breaches are caused by human error. Malicious people (read hackers) try to exploit human psychology using phishing and social engineering.

To prevent it, organizations need to provide continuous training to employees on how to use technology and prevent data leaks.

That is where the Hornetsecurity Security Awareness Service comes into play. Security Awareness Services provides fully automated awareness benchmarking, spear-phishing simulation, and E-Training to sensitize and protect employees against cyber threats. Practically speaking, you can train and then challenge your employees by simulating sophisticated email attacks.

Service Awareness Service provides ESI (Employee Security Index) that continuously measures and compares employee security behavior across the organization and offers individual training needs.

Awareness dashboard in the control panel

Security Awareness Service also provides an e-learning hub for employees where they learn security content on how to handle phishing attacks in multiple languages.

That is not all.

Hornetsecurity provides several solutions that help you strengthen your security and prevent data leakage including fully automated, secure, and effective email encryption, the cloud-based corporate email platform with integrated spam and malware protection, email archiving service to ensure email data integrity & compliance for M365 and other email servers, powerful spam filtering and malware protection to stay ahead of cybercriminals and more.

You can read full insights into different Hornetsecurity solutions that help you stay safe. You can read more here Email Cloud Security Services from Hornetsecurity.

Remember, the best way to protect against malicious methods is to have a proper understanding and implementation of IT Security

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam and malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


Data leaks are a constant challenge that occurs in many organizations. There are two reasons for this. The first is when users accidentally share data by sending sensitive emails to the wrong email address or forgetting the USB stick with the data in a public café. The second is when malicious people attack our infrastructure with malware.

There is a solution for both cases. IT teams should implement strict security mechanisms from the physical to the application level, strict access control and good password policies and enforce MFA for all user accounts

Security is a shared responsibility. Employees should be trained in the proper handling of emails, passwords and anything that could put data at risk.

Hornetsecurity offers an e-training and security awareness service platform that allows you to educate and challenge your employees by exposing them to fake phishing attacks that look like real attacks.

In this article you learned all about data leaks and how to prevent them.


What happens if data is leaked?

When sensitive data is leaked, it can have various consequences, such as privacy issues, financial losses, reduced customer satisfaction and business disruption. If our data is exposed, especially if we are vendors, it has a negative impact on our reputation. Any data leak should be taken seriously, and we must take all preventive measures to stop it.

Is it bad to leak your email?

It is considered bad and risky to pass on your e-mails. Malicious people can use them to target you with phishing and social engineering attacks. To protect your email, you should use or enforce a strong password and enable multi-factor authentication.

What does it mean when your password has been in a data leak?

If your password has been leaked, it means you are in trouble. A malicious person could access all of your online services that use this password and thus obtain and expose your data. If you use the same password for multiple services, a malicious person could try to access all services and compromise your reputation and the integrity of your data.

What do email hackers look for?

Hackers or hacker groups are looking for data with which they can blackmail you, demand money or pass on your data to third parties who could be of use to them.

Email Threats Have Never Been Bigger – 4 Key Cyber Security Report Findings

Email Threats Have Never Been Bigger – 4 Key Cyber Security Report Findings

It’s on the evening news, in your social media, in nearly every vendor presentation you attend, and the theme of most large IT conferences – security. And the security threats to M365 have never been larger. Luckily, Hornetsecurity’s Cyber Security Report 2024 is now out and contains cutting-edge research on the most critical M365 security. In this article, we’ll look at the main takeaways and cyber risk management steps you should implement in your tenant to combat email threats and reduce your chances of ending up on front page news (for the wrong reasons). If you’re in a large corporation with supportive executives and a clear mandate to improve your cyber resilience, you probably know exactly what steps you need to take. For the rest of us, whether you’re in a large or small business, the huge wave of security advice for the cyber threat landscape can be hard to surf (apologies for the Aussie reference). What do you do first? What’s going to give you the most resilience against cybersecurity threats? Here are the four major takeaways from the Cyber Security Report 2024.

Email threats – still the primary vector

Let’s start by looking at different types of email security threats. Regular spam entices you to buy something, and then there’s phishing. This type of attack relies on social engineering to trick the user into clicking on a link, entering their username and password into a fake login page, or opening an attachment they shouldn’t. Variants include smishing in SMS/text messages, vishing in voice messages or calls, and spear phishing, a specially crafted, targeted email threat that lures specifically for particular recipients. Another type of email security threat, which poses a significant risk to businesses, is Business Email Compromise (BEC), which also relies on social engineering to trick users, but here, the criminal is inserting themselves into a legitimate email conversation thread and (for example) at the right time, sends an email advising that a bank account number has changed for the upcoming transaction, of course leading to the criminal’s bank account.  Spoofing is often a part of these attacks where the email looks like it’s coming from a trusted or known sender, but there are slight changes to domain names or sender display names that’ll fool a casual observer. Overall estimates (criminals don’t submit financial reports) say that BEC losses worldwide are actually outstripping ransomware costs. The final category of email threats is malware delivery, either directly as an attachment or tricking the user into clicking a link to download the malware, often leading to system compromise. Here’s an example of an email threat malware attack, covered in depth in the Cyber Security Report 2024. Email Threat - Malware attack in the QakBot campaign from the Cyber Security Report 2023

A Growing Industry

The days of a group of hackers performing every step of a compromise are long gone. Today, the cybercriminal marketplace has evolved into specialization, where each group completes a single step and then sells that to the highest bidder. So, you don’t write your own access tools; someone else does, and you buy it from them (or rent, and they take a cut from your “earnings”). You also procure a ransomware kit from someone else.  Perhaps you buy access to a victim organization from an Initial Access Broker (IAB). In this gig economy of criminality, you don’t get the whole pie for yourself, but the overall efficiency is improved because everyone is focused on their link in the chain. And the barrier to entry is lowered considerably, inviting more players into this burgeoning “industry” of data breaches. Also, with the move to “big game” ransomware attacks where payouts in millions of dollars aren’t unheard of, expect the criminals to do their homework on sites such as LinkedIn and ZoomInfo – they’ll know exactly what you can afford to pay once they spring their trap. And they’ll focus on targets most likely to pay, such as hospitals and critical infrastructure, whose function in society will increase the pressure to pay. Some are even state-sponsored ransomware attacks, which are generally harder to defend against. IABs has a few different ways to gain access to your organization. They might buy credentials from a data breach and try matching emails/passwords against your Microsoft 365 tenant; it’s no secret that most users re-use their “favorite” password across personal and business accounts. Your best protection here is MFA – preferably a phishing-resistant flavor such as FIDO2 key or Windows Hello for Business. Also, block commonly used passwords using Password Protection in Azure AD / Active Directory. But as the report reveals, the preferred way of compromising patient zero is through Phishing. Nearly 5% of all emails in our data (25 billion emails over the year) are classified as malicious, and 40% of attacks involving emails are phishing. Send a specially crafted email to the user with an enticing attachment or an important-looking link in the email itself, and wait for the users to do your work for you. Once they enter the credentials on a fake Microsoft 365 login page (this is why you should customize backgrounds and logos so that users are more likely to stop and think when the login page doesn’t look familiar) or open the malware-laden attachment, it usually only takes minutes before the criminals use the access. Unwanted emails by category - from the Cyber Security Report 2023 By now, it should be obvious that you need a strong and easy-to-use email hygiene solution to keep your organization and your sensitive data safe from cybersecurity threats such as 365 Total Protection. But technology alone isn’t enough to combat email threats; you need to improve your “human firewalls” by training your users, another conclusion we made in the Cyber Security Report 2023.  The combination of well-trained people, secure processes (call to check with the person in the other company whenever a bank account number is altered, for example), and technology creates a cyber-resilient business. You can’t combat many cyber threats individually, but you can increase your organization’s overall security defenses by combining people, processes, and technology. We also found that brand impersonation is very common in email threats. Users are much more likely to fall for a phishing attack if the email looks legitimate, with all the right logos and text. Cyber security vulnerabilities aren’t just about technical flaws; they’re just as much about psychology and creating the right approach and culture to manage cyber risk. Email Threat attack techniques from the Cyber Security Report 2023

Beyond Email Threats

A growing attack vector is phishing and other cybersecurity threats spreading beyond emails. The mantra for years (in the Microsoft world) has been to move internal and external collaboration into Microsoft Teams. We see attacks increasing, particularly as it’s getting easier to collaborate with users outside your business in Teams. Speaking of Teams, we also noted that the desktop app itself has some security implications as it runs as an Electron app and recommends that users stick with the web version instead, as all of the modern security enhancements in browsers protect you. A worrying trend is the shortening of exploit timelines. The gap between a cyber security vulnerability being publicly disclosed and attacks against your users and system has shortened considerably in the last few years. This increases the pressure on already strained security teams to prioritize the right systems to patch based on the level of cyber risk in your particular context. A hospital or a school will have different systems and priorities compared to a critical infrastructure provider, which will affect their security posture. Another interesting finding in the report was the impression some IT staff have that “if it’s in the cloud, it’s secure.” Nearly 25% of staff were either unsure or thought that Microsoft 365 was immune to ransomware attacks, which it’s not. In the shared responsibility model from Microsoft (and any other cloud provider), you are responsible for your data, endpoints, and identity governance as part of your overall cyber risk management. A good backup solution for Microsoft 365 (including Teams data) is a must to protect against data loss and ransomware.

A Strong Defense

There are several layers in protecting against email security threats. For any email system, ensure that your Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) DNS records are in place and correct. Collectively, these records help your email hygiene solutions to spot incoming spam and filter out phishing scams and spoofed email threats. A good email hygiene solution should integrate seamlessly with Exchange Online. For any email threat that does slip through, frequent and easy-to-digest user awareness training and simulated phishing attacks increase the resiliency of your end users against falling for the threat actor’s tricks. Finally, if an email threat gets through these layers and starts a compromise or attack, a good backup solution for all your critical data gives you a way to recover, should it be necessary.

Read the Full Report

In this article, we’ve only scratched the surface of the Cyber Security Report 2024 and what you should do about email security threats to increase your security posture. The full report goes deep into the statistics cyber risk, and also covers other predictions and advice for time-poor IT and security staff. Enjoy reading it! Cyber Security Report 2023 Download
How to Recover Deleted Emails in Microsoft 365

How to Recover Deleted Emails in Microsoft 365

When the CEO realizes they deleted a vital email thread three weeks ago, email recovery suddenly becomes an urgent task. Sure, you can look in Outlook’s Deleted Items folder, but how can you recover what has undergone “permanent” deletion? This article reviews how you can save the day by bringing supposedly unrecoverable email back from the great beyond.

Deleted Email Recovery in Microsoft And Office 365

Email Recovery for Outlook in Exchange Online through Microsoft and Office can be as simple as dragging and dropping the wayward email from the Deleted Items folder to your Inbox. But what do you do when you can’t find the email you want to recover? First, let’s look at how email recovery is structured in Microsoft 365. There are a few more layers here than you might think! In Microsoft 365, deleted email can be in one of three states: Deleted, Soft-Deleted, or Hard-Deleted. How you recover an email and how long you must do so depends on the email’s delete status and the applicable retention policy. Email Recovery in Microsoft 365 Let’s walk through the following graphic and talk about how email gets from one state to another, the default policies, how to recover deleted emails in each state, and a few tips along the way.

Items vs. Email

Outlook is all about email, yet it also has tasks, contacts, calendar events, and other types of information. For example, just like email, you can delete calendar entries and may be called on to recover them. For this reason, the folder for deleted content is called “Deleted Items.” Also, when discussing deletions and recovery, referring to “items” rather than limiting the discussion to just email is common.


Various rules control the retention period for items in the different states of deletion. A policy is an automatically applied action that enforces a rule related to services. Microsoft 365 has hundreds of policies you can tweak to suit your requirements. See Overview of Retention policies for more information.

‘Deleted Items’ Email

When you press the Delete key on an email in Outlook, it’s moved to the Deleted Items folder. That email is now in the “Deleted” state, which simply means it moved to the Deleted Items folder. How long does Outlook retain deleted emails? By default – forever! You can recover your deleted mail with just a drag and drop to your Inbox. Done! If you can’t locate the email in the Deleted Items folder, double-check that you have the Deleted Items folder selected, then scroll to the bottom of the email list. Look for the following message: Outlook Deleted Items Folder If you see the above message, your cache settings may be keeping only part of the content in Outlook and the rest in the cloud. The cache helps to keep mailbox sizes lower on your hard drive, which in turn speeds up search and load times. Click on the link to download the missing messages.

But I Didn’t Delete It!

If you find content in the Deleted Items and are sure you did not delete it, you may be right! Administrators can set Microsoft 365 policy to delete old Inbox content automatically. Mail can ‘disappear’ another way. Some companies enable a personal archive mailbox for users. When enabled, by default, any mail two years or older will “disappear” from your Inbox and the Deleted Items folder. However, there is no need to worry. While missing, the email has simply moved to the Archives Inbox. A personal Archives Inbox shows up as a stand-alone mailbox in Outlook, as shown below. Stand-alone mailbox in Outlook   As a result, it’s a good idea to search the Archives Inbox if it is present when searching for older messages. Another setting to check is one that deletes email when Outlook is closed. Access this setting in Outlook by clicking “File,” then “Options,” and finally “Advanced” to display this window: Outlook Advanced Options If enabled, Outlook empties the Deleted Items when closed. The deleted email then moves to the ‘soft-delete’ state, which is covered next. Keep in mind that with this setting, all emails will be permanently deleted after 28 days.

‘Soft-Deleted’ Email

The next stage in the process is Soft-Deleted. Soft-deleted emails are in the Deleted-Items folder but is still easily recovered. At a technical level, the mail is deleted locally from Outlook and placed in the Exchange Online folder named Deletions, which is a sub-folder of Recoverable Items. Any content in the Recoverable Items folder in Exchange Online is, by definition, considered soft-deleted. You have, by default, 14 days to recover soft-deleted mail. The service administrator can change the retention period to a maximum of 30 days. Be aware that this can consume some of the storage capacity assigned to each user account, and you could get charged for overages.

How items become soft-deleted

There are three ways to soft-delete mail or other Outlook items.
  1. Delete an item already in the Deleted Items folder. When you manually delete something that is already in the Deleted Items folder, the item is soft-deleted. Any process, manual or otherwise, that deletes content from this folder results in a ‘soft-delete.’
  2. Pressing Shift + Delete on an email in your Outlook Inbox will bring up a dialog box asking if you wish to “permanently” delete the email. Clicking Yes will remove the email from the Deleted-Items folder but only perform a soft delete. You can still recover the item if you do so within the 14-day retention period.
Soft Deleting Items in Outlook
  1. The final way items can be soft-deleted is by using Outlook policies or rules. By default, no policies will automatically remove mail from the Deleted-Items folder in Outlook. However, users can create rules that ‘permanently’ (soft-delete) email. If you’re troubleshooting missing emails, have the user check for such rules, as shown below. You can click Rules on the Home menu and examine any created rules in the Rules Wizard below.
Microsoft Outlook Policies and Rules Note that the caution is a bit misleading as the rule’s action will soft-delete the email, which, as already stated, is not an immediate permanent deletion.

Recovering soft-deleted mail

You can recover soft-deleted mail directly in Outlook. Be sure the Deleted Items folder is selected, then look for “Recover items recently removed from this folder at the top of the mail column or the “Recover Deleted Items from Server” action on the Home menu bar. Recovering soft-deleted mail in Outlook Clicking on the recover items link opens the Recover Deleted Items window. Recover Deleted Items, Microsoft Outlook Click on the items you want to recover or Select All, and click OK. NOTE: The recovered email returns to your Deleted Items folder. Be sure to move it into your Inbox. If the email you’re looking for is not listed, it could have moved to the next stage: ‘Hard-Deleted.’ While users can recover soft-deleted emails, Administrators can also recover soft-deleted emails on their behalf using the ‘Hard-Deleted’ email recovery process described next (which works for both hard and soft deletions). Also, Microsoft has created two PowerShell commands that are very useful in this process for those who would rather script the tasks. You can search and restore soft-deleted emails using the Get-RecoverableItems and Restore-RecoverableItems cmdlets.

Hard-Deleted Email

The next stage for deletion is ‘Hard Delete.’ Technically, items are hard-deleted when items are moved from the Recoverable folder to the Purges folder in Exchange Online. Administrators can still recover items in the folder with the recovery period set by policy which ranges from 14 (the default) to 30 (the maximum). You can extend the retention beyond 30 days by placing legal or litigation hold on the item or mailbox.

How items become Hard-Deleted

There are two ways content becomes hard-deleted.
  1. By policy, soft-deleted email is moved to the hard-deleted stage when the retention period expires.
  2. Users can hard-delete mail manually by selecting the Purge option in the Recover Deleted Items window shown above. (Again, choosing to ‘permanently delete’ mail with Shift + Del results in a soft delete, not a hard delete.)

Recovering Hard-Deleted Mail

Once email enters the hard-delete stage, users can no longer recover the content. Only service administrators with the proper privileges can initiate recovery, and no administrators have those privileges by default, not even the global admin. The global admin does have the right to assign privileges so that they can give themselves (or others) the necessary rights. Privacy is a concern here since administrators with these privileges can search and export a user’s email. Microsoft’s online documentation Recover deleted items in a user’s mailbox details the step-by-step instructions for recovering hard-deleted content. The process is a bit messy compared to other administrative tasks. As an overview, the administrator will:
  1. Assign the required permissions
  2. Search the Inbox for the missing email
  3. Copy the results to a Discovery mailbox where you can view mail in the Purged folder (optional).
  4. Export the results to a PST file.
  5. Import the PST to Outlook on the user’s system and locate the missing email in the Purged folder.

Last Chance Recovery

Once hard-deleted items are purged, they are no longer discoverable by any method by users or administrators. You should consider the recovery of such content as unlikely. That said, if the email you are looking for is not recoverable by any of the above methods, you can open a ticket with Microsoft 365 Support. In some circumstances, they may be able to find the email that has been purged but not yet overwritten. They may or may not be willing to look for the email, but it can’t hurt to ask, and it has happened.

What about using Outlook to backup email?

Outlook does allow a user to export an email to a PST file. To do this, click “File” in the Outlook main menu, then “Import & Export” as shown below. Outlook Menu, Import Export You can specify what you want to export and even protect the file with a password. While useful from time to time, a backup plan that depends on users manually exporting content to a local file doesn’t scale and isn’t reliable. Consequently, don’t rely on this as a possible backup and recovery solution.

Alternative Strategies

After reading this, you may be thinking, “Isn’t there an easier way?” A service like Altaro Office 365 Backup allows you to recover from point-in-time snapshots of an inbox or other Microsoft 365 content. Having a service like this when you get that urgent call to recover mail from a month ago can be a lifesaver.

Before We Go

As you can see, it’s become abundantly clear that having a robust recovery strategy is not just an option but a necessity. Below are compelling arguments to illustrate why a well-structured recovery strategy is pivotal in the realm of email management in Microsoft 365:
  • Unexpected Deletions are Inevitable: Accidental deletions are more common than one might think. Whether it’s the CEO or a new intern, anyone can mistakenly delete crucial emails. A recovery strategy ensures these accidents don’t turn into crises.
  • Compliance with Legal and Regulatory Requirements: Many industries are governed by stringent laws and regulations that mandate the retention of electronic communications, including emails, for specific periods. Having a recovery strategy in place ensures compliance with these legal obligations, thus avoiding potential legal ramifications and hefty fines.
  • Protecting Against Malicious Activities: Cyber threats are increasingly sophisticated, with emails often being the main target of malicious actors. An effective recovery strategy can be the difference between quickly restoring lost data and suffering prolonged downtime or permanent data loss.
  • Mitigating the Impact of Technical Failures: Technical glitches, system crashes, or server issues can lead to loss of email data. A recovery strategy ensures that you have backups and processes in place to restore lost emails, thereby minimizing operational disruptions.
  • Maintaining Business Continuity: Emails are often the lifeline of business communications. Loss of access to important emails can halt decision-making processes and project workflows. A sound recovery strategy maintains business continuity, ensuring that email data is always accessible, even in the event of accidental or malicious deletions.
  • Safeguarding Intellectual Property and Sensitive Information: Emails often contain proprietary information, trade secrets, and sensitive data. Loss of such emails not only affects business operations but can also lead to competitive disadvantages and breaches of confidentiality. A robust recovery strategy protects this vital information.
  • Ease of Administration and Time Efficiency: Time is of the essence in business. A recovery strategy streamlines retrieving deleted emails, saving valuable administrative time and effort that might otherwise be spent navigating complex recovery processes.
  • Cost-Effectiveness in the Long Run: While setting up a recovery strategy might seem like an upfront investment, it is cost-effective in the long run. It mitigates the risks of losing crucial business information, spending on legal battles due to non-compliance, or losing business due to operational delays.
  • Reinforcing User Confidence: Knowing there is a safety net for email recovery enhances user confidence in using the email system. Users are more likely to utilize the system effectively and without fear of irreversible mistakes.
  • Adaptability to Organizational Changes: As your organization evolves, so do your communication needs and practices. A flexible recovery strategy can adapt to these changes, ensuring that email recovery processes remain efficient and relevant.
The importance of a well-considered recovery strategy for Microsoft 365 cannot be overstated. It’s a critical component of modern business practices, ensuring your organization’s email communications remain resilient, compliant, and efficient. Remember, it’s not just about recovering a lost email; it’s about preserving the integrity and continuity of your entire business operation.


Users can recover most deleted emails without administrator intervention. Often, deleted emails simply sit in the deleted folder until manually cleared. When that occurs, email enters the ‘soft-deleted stage’ and is easily restored by a user within 14 days. After this period, the item enters the ‘hard-deleted’ state. A service administrator can recover hard-deleted items within the recovery window. After the hard-deleted state, the email should be considered uncoverable. Policies can be applied to extend the retention times of deleted mail in any state. While administrators can go far with web-based administration tools, the entire recovery process can be scripted with PowerShell to customize and scale larger projects or provide granular discovery. Using a backup solution designed for Microsoft 365, such as Altaro Office 365 Backup, is always a great idea.