What Hackers Know about Law Firms That Most Partners Never See Coming

Based on a case from a Philadelphia-area practice, and relevant to any small or mid-size firm that assumes their systems are “probably fine.”

Written by Keith Tessler, a Philadelphia-area MSP owner specializing in cybersecurity and managed IT services for small and mid-size law firms.

A few years ago, I got to know the senior partner of a small Philadelphia-area law firm. Smart, steady, well-respected. The kind of attorney who keeps a calm hand on the wheel.

But like many firms I work with across this region, he didn’t spend much time thinking about what was happening inside his technology because nothing looked out of place. And when everything looks normal from the outside, it’s easy to believe the systems behind it are safe — especially if you’re convinced that a small practice isn’t worth a hacker’s time.

I had mentioned more than once that the threat landscape had changed. Hackers aren’t the same hobbyists we dealt with twenty years ago.

Why Law Firms Face Unique Cybersecurity Risks Today

Today, many hackers are offshore operators using automated, AI-driven tools that hunt for weaknesses without caring who you are. It might be a few guys, or it might be an entire company of hackers. Either way, they don’t need to target you personally. They only need to find a gap.

He acknowledged the point, but like a lot of people, he set it aside for later.

Then one day, later arrived.

He called me about a strange alert from Microsoft. It said he’d exceeded his daily limit for outgoing email. He told me he’d only sent a handful of messages that day and wondered if something was wrong with Microsoft.

For context, Microsoft’s limit for most business accounts is roughly 100,000 outbound messages per day.

If they’re warning you that you’ve hit it, something much more serious is probably going on.

And it was.

His email account had been compromised, but the real story went much deeper. Like a lot of small firms, he was using administrator-level access on his Microsoft 365 account. It made life easier — install a program here, tweak a setting there, no need to bother anyone for help. I understand the impulse. Convenience feels efficient.

The problem is that when a hacker breaks into a system with admin rights, they now have all the same powers you have. Your keys open the entire building for them.

---

Key Insight: Once a hacker finds just one person’s admin-level access, they have the key to your entire practice — and there’s a good chance you won’t know it.

---

Quietly, over several days, the attacker installed dozens of programs, plugins, and remote-control tools inside his Microsoft 365 account. They created new email accounts. They positioned themselves to read documents, browse shared folders, access spreadsheets, harvest contacts, and move through every corner of the firm’s Microsoft 365 environment.

And they did all of it without setting off alarms.

By the time we stepped in, the intruder had a level of access that would make any attorney’s hair turn gray. We spent hours unraveling the first layer of damage, and once we installed our own monitoring and security tools, we began to see the rest of the picture.

As soon as we cleaned up their foothold, the attacker tried again, immediately attempting to create more fraudulent email accounts. This time, we stopped it.

What Hackers Can Do Inside a Compromised Law Firm Account

That’s when the senior partner asked me a question I’ve heard from more than one law firm after the fact. And he asked it the way anyone would – needing to know the answer, while at the same time wishing he didn’t have to hear it:

How much harm could they have caused?

I walked him through it. And I’ll do the same for you.

Here’s the short version of what a hacker can do once they’ve taken over a Microsoft 365 account inside a law firm.

• They can quietly forward your emails to an external mailbox.
• They can send emails in your name to infect your contacts’ systems as well.
• They can read and download every document on OneDrive or SharePoint.
• They can create hidden inbox rules that reroute sensitive communications.
• They can impersonate your attorneys using newly created internal email accounts.
• They can send phishing messages to clients that look completely legitimate.
• They can reset passwords, lock you out, or deploy ransomware.
• They can alter, download, or delete files, or copy them for sale on the dark web.
• They can establish persistence so they can return even after you think they’re gone.

This isn’t a Hollywood script. This is the real-world playbook.

And it happens most often to law firms that believe they’re too small to be noticed.

After we eradicated the intruder’s tools, we rebuilt the firm’s environment properly. Monitoring, maintenance, 24/7 detection, strong identity controls, no admin rights for anyone with a public-facing account, and ongoing reviews of their Microsoft 365 configuration. Not bells and whistles — just good hygiene.

Or what a football coach might call fundamental blocking and tackling.

The firm is safer now than it has ever been. But I always wish conversations like this would happen before the emergency, not after.

What Small and Mid-Size Law Firms Actually Need to Stay Secure

If you’re running a law firm, large or small, and you’re wondering how to avoid becoming the next story, here’s the truth: every firm is different, but the baseline protections are surprisingly consistent.

A typical 10-to-20-person practice usually needs several key elements in place to stay truly secure.

• A professional monitoring system that flags suspicious behavior in real time.
• Strong identity protections with multi-factor authentication and conditional access.
• No administrator rights on everyday user accounts.
• Proper email security, including anti-phishing and anti-spoofing safeguards.
• Routine patching and updates for every system.
• Endpoint detection and response tools that catch malicious activity immediately.
• Reliable cloud and local backups that can be restored quickly.
• A defined onboarding and offboarding process to close gaps.
• Regular reviews of Microsoft 365 settings as the platform evolves.
• Practical guidance about secure workflows for client communication.
• A trusted technology partner who steps in before something becomes urgent.

---

Key insight: You don’t need to fund an internal tech department to establish and maintain a secure system for your practice. You just need an appropriate tech structure and a qualified IT management service to oversee the vulnerable places where hackers could attack and hide — so you can focus on practicing law.

---

I’ve worked with enough law firms to know this: your reputation rests on more than the strength of your legal arguments. It rests on trust. Your clients trust you with their most sensitive matters, and in today’s world, that trust depends as much on your technology practices as your case strategy.

If you’re unsure how secure your systems really are, that’s a perfectly reasonable place to be. Most attorneys don’t get training in cybersecurity, nor should they be expected to. That’s my lane.

Your lane is serving clients.

My advice is simple: make sure your firm’s technology is built to withstand the kind of attacks that don’t announce themselves. You don’t want to learn the hard way what it means when Microsoft tells you that yesterday, you supposedly sent 100,000 emails you never wrote.

That alert is rarely the central problem.
It’s a symptom of something darker.

---

FAQs

1. What makes law firms such attractive targets for hackers?
   Law firms hold confidential client information, financial data, case documents, contracts, and communication that cybercriminals can use for extortion or resale. Even small practices have valuable data. Hackers know many firms rely on DIY technology setups, which makes their defenses easier to compromise.
2. Is outsourcing IT cost-effective for small and midsize law firms?
   Yes. For most firms, outsourcing is far less expensive than hiring even one full-time IT professional. You get access to a full team, enterprise-grade tools, and round-the-clock monitoring without the overhead of building an internal department.
3. What should a law firm do immediately if it suspects a breach?
   Stop using the compromised account and reset its password. Then contact your IT or MSP partner right away. Don’t delete anything. A professional team will isolate the threat, identify what was accessed, and begin cleanup. Quick action can prevent a bad break-in from becoming catastrophic.

---

About Keith Tessler
As a Philadelphia-based technology expert and owner of a managed IT services firm, I understand how hard it is for attorneys to carve out time for their technology when their priorities are clients and cases. If you’re ready to take a clear, honest look at your firm’s systems and security, I’m here to help — no drama, no scare tactics, and no high-pressure sales.