S-RM has identified a recent trend of phishing campaigns specifically targeting law firms. In recent weeks, we have observed a sharp rise in business email compromise (BEC) cases in which the majority of the victims were law firms.
In this advisory, we outline the threat and provide practical advice for law firms (and all organisations) to protect themselves from this wave of attacks.
1. What is the threat?
Law firms are a lucrative target for cybercriminal groups that specialise in business email compromises. Whilst business email compromises are a relatively common cyber-attack, S-RM has identified a sharp increase in the frequency and sophistication of these attacks and high numbers of law firms amongst the victims. Many of the new techniques being used by threat actors targeting law firms are circumventing traditional forms of multi-factor authentication (MFA). This poses a challenge for targeted organisations to prevent, identify and stop these types of attacks.
Once a threat actor has gained access to a mailbox, we typically see them carrying out one or a combination of the following activities:
- Sending phishing emails to the compromised user’s contact list to breach further accounts;
- Conducting payment fraud by changing banking details on an invoice, legal bill, conveyancing deposit or transaction in a legitimate email thread; and/or
- Stealing a copy of the contents of the data stored in the compromised mailbox.
This often results in significant consequences for law firms, including:
- Reputational damage and loss of trust with clients, who may change solicitors in the long run;
- Direct potential losses and/or third-party liability for funds lost by clients when monies are fraudulently diverted;
- Heightened scrutiny from regulators; and/or
- Potential increases to insurance and professional indemnity premiums at renewal.
In this advisory, we have provided technical details of the new techniques that we have identified in this recent wave of attacks and listed several measures to mitigate this threat.
We encourage firm partners to work with their IT personnel and cyber security leaders to review the following information and reach out to us should you require additional assistance.
2. Technical details
A BEC is a form of a cyber-attack where a threat actor gains unauthorised access to an organisation's email account. Threat actors gain this access by using a legitimate user’s credentials and satisfying the MFA requirement (if required). These credentials are typically obtained through phishing campaigns or purchased on the dark web. S-RM has observed increased sophistication in recent BEC cases involving law firms:
- Traditional forms of MFA are no longer a silver bullet. Threat actors are increasingly stealing session cookies to bypass the MFA requirement to access an account, using advanced phishing techniques known as Adversary-in-the-Middle (‘AitM’) that rely on the use of a malicious proxy intercepting and relaying traffic in the middle of a legitimate login process. The widespread availability in the criminal underground of easy-to-use tools to facilitate these techniques, such as a phishing kit known as “EvilProxy”, has lowered the barrier to entry and the expertise required to use these methods.
- Threat actors are going undetected in breached organisations. Security teams and many alerting platforms commonly rely on the reputation or location of an IP address to identify threat actor activity. We have observed threat actors at times using Microsoft virtual machines that have Microsoft-registered IP addresses to access breached accounts or similarly geolocating their logins from expected locations (such as the country where the victim organisation is headquartered). This has made identifying malicious access more complex.
- Threat actors set up their own MFA method for persistence. Session cookies have a limited lifespan that is dependent on the configuration of an email tenant. To maintain access beyond the lifespan of a session cookie, threat actors have been adding their own MFA method to the compromised account after gaining initial access. Configuring their own MFA method also offers the opportunity to conduct further malicious activities that require MFA, such as using the Outlook application to access and download a copy of the mailbox.
- Spear phishing LinkedIn connections. A common tactic in a BEC is for the threat actor to send further phishing emails from a compromised user’s account. We have also recently identified threat actors accessing compromised users’ LinkedIn account to obtain a list of email addresses that were later recipients of phishing emails.
- Phishing emails are becoming increasingly convincing. Phishing emails have historically included characteristics that made them relatively easy to identify, including spelling or grammar errors and/or hyperlinks directing victims to an unusual URL. However, recent campaigns targeting law firms are altering their approaches to include better crafted and more convincing phishing emails, sometimes even encouraging victims to scan a QR code with their phone. Once scanned, unsuspecting victims are led to a malicious website where they are prompted to provide their account credentials.
- Phishing has moved to Microsoft Teams. The delivery of phishing attempts has also evolved to other mediums. In a number of recent compromises, we identified a phishing message distributed via Teams from an external tenant. Although not specifically targeted at law firms, this last tactic is worth looking out for.
Law firms are an attractive target for threat actors. By the nature of their work, solicitors deal with sensitive information and much of this information is stored or transferred via email. Once an email account is compromised, there is the risk that data will be exfiltrated and, if the threat actor uses a desktop client to access a mailbox, at least a portion of the mailbox may be automatically downloaded to the threat actor’s local device.
Law firms can implement several measures to protect themselves from this wave of attacks. Although no security control can guarantee complete protection against a BEC, adopting several layers of defence greatly reduces the likelihood of a successful attack. We recommend the following be implemented:
- Enforce MFA for all users on the email tenant. Whilst this is not a silver bullet, it can deter the less sophisticated threat actors from successfully authenticating. However, to prevent AitM phishing attacks, some MFA implementations are better than others:
- If possible, use a FIDO2-certified authenticator. Examples of this would respectively be Windows Hello for Business or a Yubi hardware key.
- Combine best practice MFA with conditional access policies to require authenticating devices to be trusted or compliant and come from trusted locations.
- Avoid using application-based MFA with push notifications where possible, as these may be subject to notification fatigue attacks.
- Avoid using MFA solutions based on SMS or a one-time password via authenticator applications as these are vulnerable to multiple methods of interception.
- If you identify an account that has been compromised, ensure to revoke all active sessions and remove all methods of MFA before re-enabling the account and only re-adding trusted MFA methods.
- Disable legacy email protocols that are not strictly required for business purposes. Legacy email protocols allow a threat actor to bypass MFA and download a portion of the mailbox to a local client.
- Monitor the dark web for any credentials that are leaked. If a user is identified in a breach, swiftly change their password.
- Consider disabling the ability for external tenants to start chats with users in Teams if not required for the business.
- As always, conduct regular phishing awareness training and phishing simulations. Ensure that these match the current levels of attack sophistication, where possible.
- Set up DMARC to prevent unauthorised individuals from sending phishing emails using your organisation's domain.
HOW S-RM CAN HELP
If you’re unsure of your vulnerability to this developing threat and would like some support in determining the robustness of protections in place, our consultants can support you with a concise technical assessment of security measures and their efficiency. Additionally, our offensive security team can simulate the actions of an attacker with access to breached credentials to help you gain a practical understanding of their ability to circumvent security measures to increase their access in your environment and the impact this would have on your business. Contact email@example.com for more information.
If you’ve already identified potentially suspicious activity and would like some support in defining and triaging it, our IR team is available at CyberIR@s-rminform.com.
 A session cookie is a piece of data sent by a website to a browser to allow the user to remain logged in for a set amount of time.