O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare. These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.
O365Undo requires that you have enabled the Unified Audit Log in Office 365.
If you have done so, O365Undo can reverse the following actions your user took in Onedrive, Sharepoint or an Office 365 Group up till a given date (max time back is when you enabled the Universal Audit Log):
How to use
- Install the Sharepoint Client Components
- Identify the login of the user you wish to target, e.g.: firstname.lastname@example.org
- Identity the moment in time you want to go back to (your local time in MM-DD-YYYY HH:MM:SS format)
- Do not let the user Modify anything for 15-30 minutes (UA log sync time)
- Run the script: .\O365Undo.ps1 -affectedUserLogin email@example.com -infectionDateTime “05-13-2016 00:00:00” -login “firstname.lastname@example.org” -password “Welcome123”
- View the screen and/or log in %Appdata% for the results
What it won’t (yet) do:
- restore deleted files from the recycle bin
- check files back in when checked out
- delete new files
- rename / move folders
I’m not a real programmer, this code is meant as a Proof Of Concept. I do not guarantee this product will work in your setup, and I offer no dedicated support, I try to help everyone on a best-effort basis but also have to work for a living.
This tool is not actively maintained, make sure you test it before running in a production environment!
O365Undo_V0.5.ps1 (right click, save as)