Sector
Legal firm handling sensitive commercial and litigation matters.
Legal Firm – Business Email Compromise & Deception
Using SOC365 and deception devices to detect and contain a business email compromise affecting a legal practice.
Overview
A mid-sized legal firm experienced signs of suspicious email activity, including anomalous rules, forwarders, and client complaints about unusual messages. The firm needed to understand whether accounts were compromised, prevent payment fraud, and reassure key clients.
Cyber Defence used SOC365, integration with Microsoft 365, and deception techniques to identify attacker behaviour and contain the incident.
Context
Client context & objectives
Key systems
Microsoft 365, case management, document management, and remote working platforms.
Objectives
Identify compromised accounts, prevent payment redirection, protect client confidentiality.
Our approach
1. SOC365 connected to Microsoft 365 to ingest sign-in logs, audit logs, and mailbox activity.
2. Detection engineering focused on suspicious forwarding rules, inbox manipulation, and anomalous sign-in patterns.
3. Deception: planted decoy mailboxes and credentials designed to be attractive to attackers.
4. Threat intelligence correlation for known BEC infrastructure and phishing domains.
5. Guided remediation to remove malicious rules, enforce MFA, reset credentials, and notify affected clients where necessary.
Outcomes
Results
Confirmed scope
A small number of accounts were confirmed as compromised; the rest were verified as unaffected.
Payment protection
No fraudulent payments were ultimately processed following remediation and client notifications.
Improved detection
New BEC-focused detections were implemented in SOC365 for this and other legal clients.
Deception telemetry
Interaction with decoy mailboxes provided clear evidence of attacker behaviour without impacting real users.
Client reassurance
Clear communication and documented response supported client trust and regulatory comfort.
Stronger identity posture
MFA adoption, conditional access policies, and session controls were improved.