Why Law Firms Are a Preferred Target

The ABA's annual Legal Technology Survey has documented rising cybersecurity incidents at law firms for years. The attacker logic is straightforward:

You hold valuable data across multiple industries. A firm with a corporate practice has M&A documents with material non-public information. A personal injury firm has medical records and settlement details. An estate planning firm has financial data for high-net-worth clients. Attackers do not need to breach each industry separately — they breach the law firm.

Attorney-client privilege creates ransom pressure. When a firm is hit with ransomware, attackers know you may be unwilling to involve law enforcement because of privilege concerns around client matters. This increases the likelihood of paying.

Small firms have minimal IT. A 12-attorney firm might have a part-time IT contractor who "handles" Microsoft 365 — meaning they add accounts when people join and remove them when they leave. Security configuration was never on the agenda.

Accounting firms using QuickBooks face a parallel threat profile. See our guide to securing QuickBooks Online for small accounting firms.

Misconfiguration 1: Security Defaults vs. Conditional Access

Microsoft introduced "Security Defaults" as a baseline set of security settings enabled by default on new tenants. If your firm was set up after October 2019, they are probably on. Security Defaults include MFA — that is good. But they are a blunt instrument. They cannot block logins from foreign countries, cannot restrict legacy authentication protocols, and cannot distinguish between a paralegal accessing routine forms and a managing partner accessing trust account information.

What to do instead: Move to Conditional Access policies (requires Microsoft 365 Business Premium or Azure AD P1). Key policies to implement:

  • Require MFA for all users — same as Security Defaults, but you control it
  • Block legacy authentication. Older protocols like IMAP, POP3, and basic SMTP auth bypass MFA entirely. Block them unless a specific device genuinely requires them.
  • Block sign-ins from countries you do not operate in. Your attorneys are in the US. Block logins from high-risk geographies. This eliminates a large category of credential-stuffing attacks.
  • Require compliant devices. Only allow M365 access from devices enrolled in Intune, Microsoft's device management system. This prevents a compromised personal device from accessing firm data.

To check whether Security Defaults are currently on: Azure Active Directory → Properties → Manage Security Defaults.

Misconfiguration 2: Silent Email Forwarding Rules

This is the most common and most damaging misconfiguration we find at law firms. When an attacker compromises an email account — usually through a phishing email or credential stuffing — one of their first actions is creating an inbox rule that silently forwards all incoming email to an external address. Then they log out. You never know they were there.

They sit and read your email for weeks or months. They learn your clients, ongoing matters, and payment processes. Eventually they use that information for targeted fraud: impersonating you to send fake wire instructions, or impersonating clients to you. This is Business Email Compromise (BEC) — the top financial threat to US law firms by dollar amount.

How to check for malicious forwarding rules:

  1. Go to the Exchange Admin Center (admin.exchange.microsoft.com)
  2. Go to Mail Flow → Rules — check for any rules forwarding to external addresses
  3. Also check at the individual mailbox level: Exchange Admin → Mailboxes → click each user → Mailbox tab → Email forwarding

Going forward: Use Exchange Online transport rules to block auto-forwarding to external domains entirely. This is strongly recommended for all law firms.

Check every mailbox, not just attorneys BEC attackers frequently target paralegal and billing staff accounts, not just attorney inboxes. They may have lower security settings but access to payment processes and client wire instructions.

Misconfiguration 3: Unreviewed Guest Access in Microsoft Teams

Microsoft Teams has become central to how law firms collaborate, and most firms have never reviewed their Guest Access settings. By default, external guests in Teams can access all files shared in channels they are invited to, download those files to any device, and forward messages externally.

For a law firm, this means that inviting a client to a Teams channel could expose files from other matters if channels are not structured carefully. What to review:

  • Teams Admin Center → Org-wide settings → Guest access: understand what guests can do
  • Review which Teams have external guests: Teams Admin Center → Teams → Manage Teams → look for teams with external members
  • Confirm each guest should still have access — former clients and former matter participants are common stale entries
  • Consider using SharePoint with explicit permissions for external file sharing instead of Teams channels — it gives more granular control

Misconfiguration 4: Global Admin Accounts Without MFA

Most small firms have one or two Global Administrator accounts in their M365 tenant. These accounts can do anything: reset every password, read every email, delete all data, add new users. We routinely find these accounts using the same email address as a regular user account, with no MFA, and with passwords unchanged since setup.

A compromised Global Admin account means complete control of your entire M365 environment. What to do:

  • Create a dedicated Global Admin account with a non-obvious name (not [email protected]) used only for administrative tasks
  • Protect it with MFA using a hardware key (YubiKey) or authenticator app — not SMS
  • Use regular user accounts for day-to-day work, even for your IT person
  • Enable Privileged Identity Management (PIM) if you have Azure AD P2 — this makes admin roles time-limited and requires justification for activation

Misconfiguration 5: Microsoft Purview Is Off

Microsoft 365 Business Premium includes Microsoft Purview, providing data loss prevention (DLP), email retention policies, and audit logging. Almost no small law firms have configured it.

Why this matters:

  • Audit logging is required for forensic investigation after a breach. Without it, you cannot determine what data was accessed, by whom, or when — information you need for breach notification decisions.
  • Data Loss Prevention can flag or block outbound emails containing patterns matching SSNs or credit card numbers, preventing accidental disclosure and some forms of data exfiltration.
  • Retention policies enforce bar-required retention schedules on matter files and client communications automatically.

To enable audit logging if not already on: Microsoft Purview Compliance Portal → Audit → Start recording user and admin activity.

Business Email Compromise: The Top Financial Threat

BEC follows a consistent pattern at law firms:

  1. Attacker compromises an attorney's email account via phishing or credential theft
  2. They monitor email for 2–6 weeks without taking any visible action
  3. They identify a pending real estate closing, M&A transaction, or settlement payment
  4. Days before the wire transfer, they send an email from the compromised account — or a lookalike domain — changing wire instructions
  5. Funds are transferred to the attacker's account and are almost never recovered

M365 has specific tools that address this. DMARC, DKIM, and SPF email authentication prevent spoofed emails from appearing to come from your domain — they take about 30 minutes to set up and most firms have not done it. Defender for Office 365 Plan 1 is included in Business Premium and provides anti-phishing policies, safe attachments, and anti-impersonation protection for your partners and key staff.

To check your email authentication configuration right now: run your domain through MXToolbox (mxtoolbox.com/emailhealth) — it will tell you immediately whether SPF, DKIM, and DMARC are configured correctly.

ABA Cybersecurity Requirements: What They Actually Mean

The ABA Model Rules do not use the word "cybersecurity," but Rule 1.1 (competence) and Rule 1.6 (confidentiality) both apply. In 2012, Rule 1.6 was amended to explicitly include "reasonable efforts to prevent the inadvertent or unauthorized disclosure" of client information.

ABA Formal Opinion 477R (2017) specifically addresses email security and concludes that lawyers must consider the sensitivity of information to be transmitted and may need to use enhanced security measures beyond standard email for highly sensitive matters.

Practically, this means: your M365 email is not automatically sufficient for all privileged communications. A documented security posture — written policies, MFA, device management — is the foundation of your defence if a breach occurs. Several states including California, New York, and Florida have gone further than the ABA on cloud and email security. Check your state bar ethics opinions.

The M365 License Question

Feature Business Basic Business Standard Business Premium
Exchange / Outlook email
Teams / SharePoint
Defender for Office 365
Intune device management
Azure AD P1 (Conditional Access)
Microsoft Purview compliance Limited Limited

For a law firm, Business Premium is the minimum we recommend. The price difference from Business Standard is approximately $12/user/month — around $1,440/year for a 10-user firm. The features it adds are not nice-to-haves; they are the tools required to implement proper access controls, device management, and email security. If budget is constrained, prioritise Business Premium for attorneys and anyone handling billing or trust accounts.

M365 Security Review for Law Firms

Focused review of your Microsoft 365 configuration: forwarding rules, Conditional Access, admin accounts, Defender, and Purview. Completed in one day.

Get in Touch

Written findings report included.

Getting Your House in Order: A Practical Sequence

Week 1 (1–2 hours)

  • Check for external email forwarding rules across all mailboxes
  • Verify MFA is on for all users
  • Enable audit logging in Microsoft Purview
  • Run your domain through MXToolbox and fix any SPF / DKIM / DMARC gaps

Week 2 (2–3 hours)

  • Review Teams guest access and remove stale guests
  • Check Global Admin accounts and add MFA if missing
  • Enable Defender for Office 365 if you are on Business Premium — it is included but needs to be configured

Month 2

  • Work with your IT support to implement Conditional Access policies
  • Draft or update your written security policy
  • Schedule annual staff security training

UK law firms seeking Cyber Essentials certification will recognise many of these controls โ€” the five technical areas assessed by Cyber Essentials map directly onto the M365 settings covered above. Our Cyber Essentials IT security policy guide details exactly what needs to be documented for certification, including access control, malware protection, and the 14-day patching standard.

If you want professional help reviewing your M365 configuration specifically — not a general IT audit, but a focused security review of your Microsoft environment — that is a contained engagement we complete in a day. See our cloud hardening services.

This post reflects Microsoft 365 configuration options as of publication. ABA and state bar ethics requirements vary by jurisdiction and are subject to change. Consult qualified legal ethics counsel for guidance specific to your practice.