‘Months, Not Years’: The Five Eyes AI Warning No Law Firm Should Scroll Past.

Your next phishing email won't have a single typo — because a machine wrote it. This fortnight: an unprecedented Five Eyes warning that AI-powered attacks are close, a professional-services firm with client banking details dumped on the dark web, a critical server flaw the ASD says is already being exploited, and ransom-payment rules that now have real teeth.

🔐 4 things law firm leaders should know right now:

1. Five Eyes issues a rare joint warning: AI-powered attacks are "months, not years" away.

On 22 June, the cyber security agencies of Australia, the US, UK, Canada and New Zealand released a rare joint statement warning that frontier AI models could be used to conduct cyber attacks within months and will pose a greater cyber security risk than expected. They said cyber risk assumptions can now become outdated in months rather than years, and that AI lowers the barrier for attackers while increasing the speed and complexity of attacks. The context is pointed: the warning follows the Trump administration ordering Anthropic to suspend foreign-national access to its most advanced models. One national-security expert put the stakes plainly — large corporations that already invest in cybersecurity will be better prepared, while under-invested small and medium businesses will basically be sitting ducks. That's your firm. A law practice is an SMB sitting on a treasure chest of confidential and privileged data. The recommended actions are unglamorous but exact — invest in defences, upgrade old systems, patch faulty software, and limit who has access to critical systems. The practical near-term threat isn't sci-fi malware — it's flawless, personalised phishing produced at industrial scale. The typo-spotting era is over. Computer Weekly + 4

2. Qilin dumps a professional-services firm's client banking data.

Kennedy McLaughlin & Associates — a 21-person Brisbane firm offering estate planning, tax and business advisory — confirmed a cyber incident after being listed on the Qilin ransomware leak site, with the published dataset including the financial and banking details of several clients. The detail worth pausing on: the firm's own website lists legal professions among the client base it services. And Qilin is no fringe outfit — it has claimed 1,882 victims across 98 countries since 2022, is currently the most active ransomware operation in existence, and has listed 17 Australian victims in 2026 alone. Relevance to law firms: a small professional-services practice holding trust-adjacent financial data is exactly Qilin's target profile. "We're too small to be worth attacking" is precisely the assumption they monetise. Small firm, sensitive data, likely modest security spend — that's the whole business model. Cyber Daily + 2

3. ASD flags a critical server flaw already under active exploitation - CVE-2026-4194.

The ASD's ACSC has warned it is aware of exploitation of a vulnerability in cPanel / WebHost Manager administration interfaces (CVE-2026-4194), carrying a CVSS 4.0 base score of 9.3 — near the top of the severity scale. It sits alongside two other live advisories your IT provider should already be actioning: a ClickFix social-engineering campaign spreading malware through compromised WordPress sites, and a campaign targeting Fortinet firewalls and VPN gateways. A lot of firms' websites, client portals and email run on cPanel/WHM hosting without ever thinking about it. Ask your provider one question this week: "Have you patched CVE-2026-4194, and when?" If they can't give you a date, that's your answer. Cyber.gov.au

4. Ransom-payment reporting is no longer theoretical - enforcement has started.

Under the Cyber Security Act 2024, businesses with turnover above $3 million that make a ransomware payment must report it to the ASD within 72 hours — an obligation in full force since May 2025. The teeth are now out: from January 2026 the Department of Home Affairs moved to active compliance and enforcement, and 75 Australian businesses over the $3 million threshold have already admitted paying off ransomware groups in the first eight months of mandatory disclosure. Layer on the tightened privacy regime — OAIC infringement notices of up to $66,000 per contravention and a new statutory tort for serious invasions of privacy — and quietly paying a ransom is no longer a private decision; it's a reportable event with a countdown. If your firm meets the turnover test, a 72-hour reporting step needs to be written into your incident-response plan now — not improvised at 2am mid-breach.

🔧 Tool: GoPhish (open source)

GoPhish is a free, self-hosted phishing simulation framework that lets you run a controlled phishing campaign against your own staff and see exactly who clicks, who enters credentials, and who reports it. Given item #1 — machine-written phishing that no longer looks wrong — this is the highest-return action available to a law firm right now: find your click-throughs before an attacker does, then target training at the people who need it. No vendor relationship, no sales call, no budget required. Ask your IT provider to run a campaign against your firm and share the results with you. If they resist testing your own people, ask why. → getgophish.com

💡 Tip: Kill the AI-phishing payment scam with a callback rule.

Stop relying on an email "looking wrong" — it won't anymore. Institute one hard rule across the firm: any change to bank or trust-account details and any unexpected payment request, is verified by calling the person back on a number you already hold, never a number or link in the email itself. It's a five-minute policy that defeats the single most expensive attack a law firm faces: business email compromise redirecting settlement or trust funds. Put it in writing, and have every fee-earner and admin staff member acknowledge it this month.

📖 Resource:

If item #4 has you realising your firm has no real sense of what the first 72 hours of a ransomware attack actually look like, not the written policy, but the live decisions under pressure: do you pay or not, who do you call first, what has to be reported and by when — that's exactly what my CPD-accredited session recreates. "Navigating a Cyber Breach: A Live Decision-Making Experience" runs your leadership team through a live ransomware simulation using my Colour Code Method™ — built to help a firm survive the attack, not just talk about preventing it. Built exclusively for legal-sector leaders.

Cyooda: Navigating a Cyber Breach — [Aug 19 10am ][register your interest here →]

💬 Quote:

"Breaches will occur. Preparedness helps you contain them quickly." — Five Eyes cyber security agencies, joint statement, June 2026 CBS News

Something here worth a 15-minute conversation? → [Book a Cyber Chat]

— John

John Reeman - Virtual CISO

John Reeman

I'm the CEO and Founder of Cyooda Security, an independent cybersecurity and digital forensics advisory consultancy based in Sydney. The former CISO of King & Wood Mallesons a global law firm, with 30 years of cybersecurity leadership, protecting organisations and government agencies from data breaches, ransomware, and cyber espionage.

The Legal Cyber Brief — monthly cyber intelligence for law firm leaders. Threats, regulatory shifts, and practical tools from the field. No fluff.

The Legal Cyber Brief
Monthly cyber intelligence for law firm leaders.

The Legal Cyber Brief — monthly cyber intelligence for law firm leaders.

The Legal Cyber Brief
Monthly cyber intelligence for law firm leaders.