Most law firms have taken the right steps to secure Microsoft 365. Multi-factor authentication is in place, email filtering is active and staff have been trained to recognize suspicious messages.
On paper, it looks like a well-covered environment. In practice, many firms are still exposed in a place they are not actively monitoring.
Business email compromise has evolved beyond the phishing-heavy attacks most firms are used to seeing. Today, attackers are just as likely to sign in using stolen credentials or session tokens, observe normal activity over time and wait for the right moment to act.
That shift has created a gap between access and activity. For law firms handling confidential client information, that gap carries meaningful risk.
Business email compromise (BEC) continues to be one of the most financially damaging cyber threats, with billions in reported losses each year, according to the FBI’s Internet Crime Complaint Center (IC3).
What’s changed
Attackers are no longer relying solely on stolen passwords. Instead, they are taking advantage of what happens after a user successfully logs in.
Session tokens can be captured and reused, allowing access without triggering another MFA prompt. Once inside, attackers often spend time observing inbox activity, reviewing shared documents and learning how attorneys and staff communicate across matters. By the time they take action, their behavior blends in with normal operations, making detection significantly more difficult.
According to Verizon’s Data Breach Investigations Report, stolen credentials and valid account access remain one of the most common ways attackers gain entry. At that point, the attacker no longer appears suspicious. They appear to be part of the firm.
Why this matters for law firms
In a law firm, email and collaboration tools are deeply tied to how work gets done. They support client communication, case strategy, document exchange and financial coordination.
When an attacker gains access to an account, they are not just accessing email. They are stepping into the flow of active client work.
For example, an attorney may be coordinating closing details with a client over email. An attacker monitoring that thread can step in at the right moment, sending updated wire instructions that appear consistent with the conversation and tone. Because the message comes from a legitimate account, it is rarely questioned until after funds have been transferred.
In some cases, attackers monitor activity for days before sending a single message that changes wire instructions or redirects a payment. Because those messages originate from a legitimate account and follow established communication patterns, they often bypass traditional security controls.
The impact extends beyond financial loss. Exposure of privileged client communications, potential ethical violations and increased malpractice risk, along with long-term damage to client trust, all come into play.
Where traditional protections fall short
Most firms have taken appropriate steps to strengthen their security posture:
- MFA is enabled
- Email filtering is in place
- Staff have completed security awareness training
The challenge is that these controls were designed to stop different types of attacks. Email security focuses on blocking malicious messages before they reach the inbox. MFA focuses on verifying identity at the point of login. Neither provides meaningful visibility into what happens after access has been granted.
Recent data also shows a sharp increase in MFA-bypass techniques, including session token theft and adversary-in-the-middle attacks.
The visibility gap
This is where the gap starts to show up.
The underlying issue is not just who logs in, but what happens next. Without visibility into user behavior across Microsoft 365, suspicious activity can easily blend in with normal work. A login may come from a familiar location. An email may be written in a tone that matches past communication. A request may align with established processes.
Individually, these signals do not raise concern. Taken together, they can indicate that something is wrong. This is where many law firms have a blind spot. The indicators are present, but without continuous monitoring and context, they are easy to miss.
A different approach to identity protection
Addressing this gap requires a shift in how firms think about security. Rather than focusing only on preventing access, firms need visibility into how accounts are being used after authentication. That includes monitoring behavior across Outlook, SharePoint and Teams, identifying activity that deviates from normal patterns and responding before the issue reaches clients.
The goal is not to generate more alerts. It is to surface the activity that actually matters and act on it quickly. Most firms do not have this level of visibility into their Microsoft 365 environment today. As a result, identity-related risks are often only discovered after there has already been client impact.
What this looks like in practice
A more complete approach to identity protection provides:
- Issues are identified and investigated before clients are impacted
- Suspicious account behavior is reviewed in context, not as isolated alerts
- Unauthorized changes, including forwarding rules and access patterns, are identified early
- Incidents are contained and resolved without requiring internal IT triage
This closes the gap between access and activity, which is where many modern attacks now occur.
The bottom line
Email security protects the inbox, while identity-focused monitoring protects the account behind it. For law firms handling confidential client data, that distinction is critical.
Take the next step
For many firms, the first step is simply understanding what is already happening inside their Microsoft 365 environment.
A 30-day identity monitoring trial provides that visibility by highlighting account activity, surfacing potential risks and giving your team a clearer picture of where exposure may exist.
Afinety’s Microsoft 365 Identity Defense builds on this model by continuously monitoring identity activity, investigating suspicious behavior and taking action on your behalf without adding operational burden to your team.
There is no upfront cost to get started. If it would be helpful to see what this looks like in your environment, we can walk you through what the first 30 days typically uncover.