68 days. That’s how long attackers are hiding in Australian networks before anyone notices.

Your device management tool just became a weapon. This fortnight: Iran-linked hackers wipe 200,000 devices using Microsoft's own admin tools, an Australian healthcare software vendor hit by ransomware this week, a landmark finding on how long attackers are hiding undetected in Australian networks, and AML/CTF reforms that will reshape how law firms collect and store client identity data from 1 July.

🔐 4 things law firm leaders should know right now:

1. One admin account. No MFA. 200,000 devices wiped. Your Intune environment has the same settings.

On 11 March, Iran-linked hacktivist group Handala claimed a devastating attack on medical device giant Stryker — wiping data from an estimated 200,000 devices across 79 countries. No ransomware. No malware. The perpetrators appear to have used Microsoft Intune to issue a remote wipe command against all connected devices — the same cloud-based endpoint management tool your IT provider uses to manage your firm's laptops and phones. The attackers created a new Global Administrator account after first compromising an existing admin credential, then used Intune's built-in wipe function to erase devices at scale. "There is the bigger architectural question nobody seems to be asking: why could a single compromised Global Administrator credential issue wipe commands to 200,000 devices with no second approval, no threshold alert, no FIDO2 challenge? That is the control that was missing." Critically, personal devices enrolled in Stryker's BYOD program were also wiped — staff who had their personal phones connected to the corporate tenant lost everything on those devices too. CISA and Microsoft have both now issued urgent hardening guidance.

Most law firms running M365 Business Premium have Intune deployed and have never asked their IT provider three basic questions: Is MFA enforced on every admin account in our Intune environment? Is multi-admin approval required before any bulk wipe command can be executed? Are BYOD personal devices enrolled in our tenant — and do staff understand what that means for their personal data if the firm is attacked? If your provider cannot answer all three this week, you have the same architectural gap that took Stryker down.

2. DragonForce ransomware hits Australian healthcare software vendor.

This week DragonForce ransomware claimed an attack on Health Management Systems, an Australian healthcare software provider, threatening to release sensitive data unless ransom demands are met. No confirmed scope yet, but the model is instructive: go after the software vendor, create leverage across the entire client base simultaneously. Law firms are not healthcare providers, but the attack pattern is identical. Your practice management system, document management platform, and matter management software all represent the same single point of failure. Ask your software vendors one direct question: "When did you last commission an independent penetration test, and can you share the executive summary?" If they cannot produce one, you are trusting your client data to an untested environment.

3. Financially motivated attackers are now hiding in Australian networks for 68 days.

CyberCX's 2026 Threat Report, released 3 March and drawing on over a hundred serious incidents the firm responded to last year, found that detection time for financially motivated cyberattacks more than doubled — from 24 days in 2024 to 68 days in 2025. Attackers are investing significantly more time inside networks before triggering any visible event. The report also flagged a new internal threat now generating its own incident response work: staff uploading sensitive client material to public-facing AI tools. CyberCX is now responding to data spill incidents caused by employees pasting privileged content into ChatGPT, Copilot, and similar platforms.

For law firms, 68 days of undetected access means months of client correspondence, matter files, trust account records, and privileged communications sitting in an attacker's hands before anyone notices. If your firm has no managed detection, no SIEM, and no log monitoring — your 68 days starts the moment someone clicks the wrong link.

4. From 1 July 2026, AML and privacy obligations get very real for legal practices.

AUSTRAC has confirmed that lawyers will come within expanded AML/CTF regulation from 1 July 2026 for certain designated services. Simultaneously, the OAIC has signalled that tranche 2 entities — including law firms — will be brought into the Privacy Act for AML/CTF-related handling of personal information. The practical consequence: many firms are about to collect significantly more identity material from clients. But the OAIC has been explicit that you should not retain full identity documents for AML/CTF record-keeping purposes once the reforms apply. More compliance, but not a licence to hoard passports and licences. The cyber relevance is direct — firms that collect more identity data and store it poorly create a richer target. AML readiness and data minimisation are the same conversation.

🔧 Tool: Maester (open source)

Maester is a free PowerShell-based Microsoft 365 security testing framework that runs automated checks against your M365 tenant and produces a plain-English report showing exactly where your configuration fails against established benchmarks. Given the Stryker/Intune attack, it is the highest-return action available to law firms right now. Maester checks admin MFA coverage, conditional access policies, Secure Score baselines, audit log gaps, and privilege escalation risks — the precise controls that were absent from Stryker's environment. No vendor relationship, no sales call, no budget required. Ask your IT provider to run it and share the output with you. → maester.dev

💡 Tip:

The CyberCX finding on staff uploading client files to public AI tools is the one that should concern law firm leaders most this fortnight — not because it is dramatic, but because it is invisible and already happening in your firm. Your staff are using ChatGPT, Copilot, Gemini, and others to draft correspondence, summarise documents, and speed up research. Some of them are pasting client matter details, opposing party information, or privileged communications into those prompts without understanding the implications. A one-page AI Acceptable Use Policy — specifying clearly what data can and cannot be entered into public AI tools — takes two hours to draft and costs nothing to enforce. Have every staff member acknowledge it in writing this month. It closes a gap that is currently generating incident response work for Australia's largest cyber firms.

📖 Resource:

If the 68-day dwell time finding has you wondering what your firm's actual first-72-hours response looks like — not the policy, the real decisions under pressure — that is exactly the scenario my April webinar recreates. "Navigating a Cyber Breach: A Live Decision-Making Experience" runs your leadership team through a live ransomware simulation using the Colour Code Method™. CPD-accredited (Reference #501037). Built exclusively for legal sector leaders

21 April 2026 at 12:00PM — [register your interest here →]

💬 Quote:

"Why could a single compromised Global Administrator credential issue wipe commands to 200,000 devices with no second approval, no threshold alert, no FIDO2 challenge? That is the control that was missing." — Security researcher commentary on the Stryker/Intune breach, GovInfoSecurity, March 2026

Something here worth a 15-minute conversation? → [Book a Cyber Chat]

— John