Microsoft 365 ransomware recovery — Melbourne SMB guide

The TL;DR for English-language readers

Microsoft 365's built-in "deleted items" recovery is not a backup. Exchange retains deleted mail for 14–30 days; OneDrive and SharePoint retain up to 93 days; Teams chats default to 30 days. When ransomware compromises an account, attackers routinely empty the recycle bin and overwrite version history — past the retention window, recovery is impossible.

A real Melbourne case we walked alongside in 2026: a 25-person Chinese-Australian trading company, no third-party M365 backup, lost 30% of its operational documents and a critical customs declaration, leading to ~AU $140,000 in direct + indirect losses. A $2,400/year independent Microsoft 365 backup subscription would have made the full data recoverable inside 4 hours.

What to do right now

1. Disconnect, preserve evidence — physically unplug the affected device. Do not reboot. Force-reset all Microsoft 365 user passwords and revoke active sessions.
2. Scope the blast radius — export the Unified Audit Log for the last 30 days. Look for logins from unexpected geographies and mass file-delete events.
3. Restore from backup — if you have third-party M365 backup (SkyKick / Veeam / AvePoint), restore by point-in-time. If not, use Microsoft's native 14–93 day windows.
4. Report — file at cyber.gov.au, notify your cyber insurer, and if personal data was exposed, lodge with the OAIC within 30 days.

Why bilingual matters

During an active ransomware response, Chinese-Australian business owners need to coordinate simultaneously with English-speaking insurers, regulators, and law-enforcement, and Mandarin-speaking staff, suppliers, and clients. BlueStone Tech's engineering team operates bilingually for exactly this reason. See our services: Backup & Recovery · Microsoft 365 management · Pricing · Free quote.