Ransomware headlines get the attention, but the incident that actually breaks most firms starts with a phishing email and a stolen credential. Identity — not malware — is the attack surface that matters most in legal practice today, and the sophistication of identity-based attacks against law firms has increased sharply in the last twelve months.
Attorneys are high-value targets
A single partner's credentials open matter files, client trust accounts, executive email threads and, increasingly, AI systems with cross-matter reach. Attackers know this and increasingly craft firm-specific lures that look like opposing counsel, court notices, or genuine client emails referencing real active matters. The volume of firm-specific reconnaissance we are seeing on the offensive side is materially higher than a year ago.
MFA is necessary but not sufficient
SMS-based MFA is now routinely bypassed at scale. Firms need phishing-resistant methods — FIDO2 keys, platform authenticators, number matching — layered with conditional access that considers device health, location and session risk. Firms still relying on SMS as their primary MFA factor are exposed to attack patterns that are trivial to execute in 2026.
Detection has to be assumed-breach
The question isn't whether an account will eventually be compromised; it is how quickly the compromise will be caught and contained. Continuous monitoring of sign-ins, session risk and impossible travel is what shrinks the blast radius from a firmwide incident to a contained event that never makes the news.
Wire-fraud impersonation is the loudest specific risk
The single fastest-growing category of legal-sector fraud is wire-transfer impersonation timed to real closing events. Attackers now routinely piece together enough context from breached mailboxes to inject convincing wire-instruction changes into live deal threads. The controls that prevent this are procedural as much as technical, and they need to be trained.
Train, but don't rely on training
Awareness helps at the margin. But the goal is a stack that catches the phish before the human sees it, and contains the damage when the human clicks anyway. Assume both will happen. Every firm we have worked with that assumed 'our people wouldn't fall for that' has had at least one incident that proved otherwise.
The post-incident lens
Firms that have been through a serious identity incident emerge with three consistent priorities: consolidate identity providers, invest in phishing-resistant MFA universally, and put a 24×7 SOC in place. Firms that haven't yet had that incident have the option to make those investments while the choice is still theirs.
We help firms shut down the identity attack path end-to-end. Talk to our cybersecurity practice, or subscribe below for our monthly threat brief.



