Serving Orange County, CA - Based in Irvine  ·  (949) 274-8774
Industry 2026-03-15 · 8 min read

Business Email Compromise: The Cyber Threat Law Firms Cant Ignore

One spoofed email. One fake wire transfer. Thats all it takes.

For many law firms, the most financially damaging cyber risk isnt ransomware  its Business Email Compromise (BEC): attackers quietly hijacking or impersonating your email to redirect money and data.

The FBIs Internet Crime Complaint Center (IC3) has the numbers to prove it. Year after year, BEC is at or near the top of reported cybercrime losses. The dollar impact dwarfs ransomware.

If your firm uses email to coordinate wire transfers, settlements, or trust account disbursements, BEC isnt a theoretical risk. Its the main event.

Lets break down how it works, what it looks like in a Microsoft 365based practice, and what meaningful law firm cybersecurity looks like in 2026.

How Business Email Compromise Actually Works

Most BEC attacks against firms follow a familiar pattern.

1. Getting In

The attacker gains mailbox access via:

  • A convincing phishing email (fake Microsoft 365 login)
  • Password reuse from another breached site
  • Weak or missing multifactor authentication

2. Sitting Quietly

Once theyre in, they dont start spraying spam. They sit and watch:

  • Who authorizes payments
  • How wires are requested and approved
  • Which matters involve large or timesensitive transfers

3. Hijacking Real Conversations

When the moment is right, they step in:

  • They send from the compromised account, or
  • They register a lookalike domain (for example, myfirmlegal.com vs myfirmlegal.com).

They reply on existing threads, copying your style, disclaimers, and process.

4. Redirecting Money

Finally, they send updated wiring instructions or new account details that look completely legitimate.

By the time anyone realizes something is wrong, the funds are sitting in an account outside the country and the banks options are limited.

Why Law Firms Are Prime Targets

From an attackers point of view, firms are ideal:

  • You move large sums of money through trust accounts and wires.
  • Email is often considered good enough for approvals.
  • Transactions are timesensitive; pressure and urgency are normal.
  • IT is often focused on uptime and ediscovery, not deep security monitoring.

In other words: highvalue transactions + high trust in email + inconsistent monitoring.

If an attacker can spend a few days inside one partners mailbox and successfully redirect a single sixfigure transfer, the return is enormous.

Thats why BEC law firm attacks are so common. The economics are too good for attackers to ignore.

What BEC Looks Like in Your Systems

The actual fraud email is often the last step. The story starts much earlier with smaller technical breadcrumbs:

  • New inbox rules that forward or hide emails involving wire, invoice, payment, ACH, etc.
  • Logins from unusual countries or locations
  • Multiple mailboxes accessed from the same suspicious IP
  • Unusual download patterns (for example, mass export of mail or files)

A basic Microsoft 365 setup will happily log these events and never say a word.

A serious business email compromise legal defense depends on actively monitoring those behaviors.

What Your MSP Should Be Watching in Microsoft 365

You dont need to become a security analyst, but you should know what your IT partner is (or isnt) monitoring.

Here are 14 conceptual detection rules a competent MSP should have in place for BEC in a Microsoft 365 tenant:

  1. Impossible travel logins  Same user logging in from distant locations in an impossible timeframe.
  2. Logins from highrisk countries  Especially regions where your firm has no business.
  3. Multiple failed logins followed by success  Suggesting password spraying or testing stolen credentials.
  4. New inbox rules that hide or forward mail  Particularly rules targeting financerelated terms.
  5. Inbox rules forwarding all mail externally  A common tactic for longterm mailbox surveillance.
  6. Creation of tenantlevel forwarding rules  Transport rules that send copies of mail offtenant.
  7. New OAuth app consent with broad permissions  Malicious apps granted rights to read or send mail.
  8. Unusual mass mailbox access  A single account accessing mailboxes it normally doesnt.
  9. Privilege escalations  New admin roles assigned to accounts that previously lacked them.
  10. Suspicious send patterns  Large bursts of outbound mail or unusual recipients for a given user.
  11. New devices or locations for key accounts  Partners and finance staff suddenly logging in from odd geographies.
  12. Mail sent from unfamiliar IPs  Especially when it bypasses your normal VPN or office networks.
  13. Transport rule changes  Particularly ones that bypass spam/phishing filters or reroute mail.
  14. Unusual file access  Mass downloads or access to sensitive SharePoint/OneDrive locations tied to a user.

On their own, any one of these might be benign. Together, theyre the difference between normal Tuesday and we just wired money to a criminal.

Tools Without Process Arent Enough

Even the best detection doesnt help if firm processes assume email instructions are always trustworthy.

A realistic law firm cybersecurity approach includes:

  • Callback verification for changes to payment details, using a known good phone number (not whats in the email signature).
  • Clear wire procedures that define who can request, who can approve, and how changes are validated.
  • Firmwide MFA for all accounts, with extra protection on partners, finance, and IT.
  • Targeted security awareness training that uses real examples from legal workflows.

Technology backs up those processes; it doesnt replace them.

What We Do for Firms We Support

At Beshore IT, we treat BEC as the primary threat model for our law firm clients.

In practical terms, that means:

  • Enforcing firmwide MFA and sensible conditional access policies
  • Sending Microsoft 365, endpoint, and firewall logs into our Wazuhbased SIEM
  • Tuning detection rules around the 14 patterns above
  • Investigating and responding to alerts by:
    • Forcing signouts and password resets
    • Disabling accounts when warranted
    • Reviewing mailbox rules and access history
  • Working with firm leadership to tighten wire and payment verification procedures

The goal is simple: make your firm a very unattractive target for attackers looking for an easy BEC payout.

Questions to Ask Your Current IT Provider

If you want a real sense of your exposure, ask these directly:

  1. What are we doing specifically to detect Business Email Compromise in our Microsoft 365 tenant?
  2. Do we have alerts for inbox rule changes, forwarding rules, and suspicious login patterns?
  3. Are we sending M365 logs into a SIEM, or just relying on Microsofts builtin alerts?
  4. Can you show us the last few security incidents you investigated for our firm and how you responded?
  5. What is our documented process for verifying changes to wiring instructions?

If the answers are vague or heavy on marketing buzzwords, you probably dont have the coverage you assume you do.

BEC Is a Business Risk, Not Just an IT Problem

A successful BEC incident hits more than your network. It affects:

  • Client trust  especially around highvalue matters and real estate transactions.
  • Professional liability  depending on circumstances and response.
  • Cash flow  if trust accounts or major disbursements are involved.

Thats why BEC belongs in your risk management discussions, not just on ITs todo list.

You dont need a huge internal security team. You do need:

  • The right monitoring in place
  • An MSP that understands law firm workflows and BEC patterns
  • Clear internal processes that treat email as untrusted for moving money

If youre not comfortable with your answers to those five questions above, thats a sign its time to tighten things up  before one spoofed email turns into a sixfigure mistake.