The picture above is thirty years old, yet its message still hold true today. Our legal and business systems are built on the assumption that we know who we're dealing with. That assumption is exactly what BEC exploits.
The Setup (Access)
Real matter. 2025. Construction firm. The attacker gains access through a targeted phishing email — an employee clicks a link, enters credentials into a convincing replica login page, and the attacker now has full access to that mailbox. Standard enough. What happens next is where the sophistication lies.
An employee goes on paternity leave. Their access credentials remain live. That's the open door. But the attacker doesn't rush through it.
The Wait (Reconnaissance)
They spend weeks observing. Reading emails. Understanding payment patterns, supplier relationships, amounts, timing, communication styles. This is the part organisations rarely appreciate, the attacker isn't just looking for a target, they're learning how to be invisible. The goal is to act in a way that looks entirely normal.
The Rule (Diversion)
One mailbox rule. 30 seconds to configure. Every invoice from the targeted supplier, every reply from colleagues — silently redirected to a hidden folder the victim never sees. The business keeps operating. Invoices continue to be sent. Nobody notices because nothing appears to be wrong. That's the entire point — it's designed to look normal.
The Move (Fabrication)
When the attacker acts, they send an email that looks exactly like every other invoice follow-up. No spelling errors, no foreign prince. Written to be boring. Routine. The kind of email that gets processed without a second thought. Bank account details updated. Payment requested.
The Near Miss
One person, returning from leave, who hadn't been in the loop. Something felt off about a payment instruction. She picked up the phone — not email — and called the supplier directly. That call exposed the fraud. No AI. No SIEM alert. No fraud detection. Human instinct and a phone call.
What Didn't Stop It
No alert fired. No system flagged the mailbox rule. No anomaly detection, no impossible travel alert, no security tool of any kind engaged. The business operated normally for weeks with an attacker inside it. That's the reality most organisations don't want to accept.
What This Means for Law Firms
Law firms have every element that makes BEC attractive: high-value transactions, trust account communications, settlement instructions by email, external counsel relationships, client payment details. They are a primary target. And most don't have the monitoring in place to detect a mailbox rule being created silently.
Three Things Worth Checking
1. Is mailbox audit logging enabled in your M365 tenant?
2. Do you have alerts configured for new inbox rules created externally?
3. Does your IT provider know to preserve, not fix, if something looks wrong?
If you'd like to review your firm's exposure to BEC or understand what a forensic investigation looks like when it happens, reach out.
The Legal Cyber Brief — monthly cyber intelligence for law firm leaders. Threats, regulatory shifts, and practical tools from the field. No fluff.
Related Posts
Lvl 17, Angel Place,
123 Pitt Street,
Sydney
NSW 2000
(02) 7230 1350
The Legal Cyber Brief — monthly cyber intelligence for law firm leaders.