Most small law firms bought Microsoft 365 for email, document storage, and remote collaboration. Most of them did not configure the security features that come with it. This distinction, between having Microsoft 365 and having a secure Microsoft 365, is where the majority of law firm breaches in 2026 begin.
An average 25-attorney US firm running a basic email provider with a standard spam filter receives 14 attempted partner impersonation emails per month. With Microsoft Defender for Office 365 properly configured, 11 of those are blocked before reaching any attorney’s inbox. Without it, all 14 reach the inbox, and the 3 that get through are the ones that generate bar grievances and carrier claims 6 to 18 months later. The security capability is already in the license most law firms have purchased. The gap is configuration, not investment.
| KEY STAT | Phishing and BEC are the #1 and #2 causes of law firm data breaches. The legal sector is the 4th most ransomware-targeted industry. Wire fraud from BEC attacks cost law firms an average of $450,000 per incident in 2025. Microsoft reports MFA prevents over 99% of automated account attacks, yet many small firms have not enforced it across all accounts. Halcyon / BakerHostetler DSIR 2026 / Wintive |
Why Microsoft 365 is both the target and the solution
Microsoft 365 is the operating environment for most small law firms: email is in Outlook, documents are in SharePoint and OneDrive, communication is in Teams, and calendaring is in Exchange. This concentration means that a compromised Microsoft 365 account gives an attacker access to the entire firm’s operational environment, email archives, client documents, case strategy, billing records, and the credentials needed to impersonate partners in wire transfer fraud.
The attacks targeting law firm M365 environments in 2026 fall into three categories. Business email compromise (BEC) uses spoofed or hijacked partner accounts to redirect wire transfers, request fraudulent payments, or manipulate closing instructions in real estate transactions. AiTM (adversary-in-the-middle) phishing bypasses MFA by stealing session tokens at the moment of authentication, one AiTM campaign in April 2026 compromised 35,000 users across 13,000 organizations in three days, all of whom were using MFA. And credential phishing, fake Microsoft login pages, fake Docusign requests, fake client portal links, remains the most common initial access vector for law firm breaches.
Microsoft 365 Business Premium contains the controls that address all three attack categories and becomes significantly more effective when supported by managed detection and response capabilities that continuously monitor for threats. The problem is that many law firms are running Microsoft 365 Business Basic or Standard, licenses that lack the security features, or are running Business Premium but have not enabled the security controls that come with it.
The Microsoft 365 license question for law firms
| License | Security capability gap |
| M365 Business Basic | No Defender for Office 365, no Intune device management, no Azure AD Premium (no Conditional Access, no Identity Protection). Essentially no enterprise security controls. |
| M365 Business Standard | Includes Defender for Office 365 Plan 1 (basic email security) but no Conditional Access, no Identity Protection, no Defender for Endpoint. Inadequate for firms handling sensitive client data. |
| M365 Business Premium | Includes Defender for Office 365 Plan 1, Intune device management, Azure AD Premium P1 (Conditional Access), and Microsoft Defender for Business. The minimum recommended license for most law firms. |
| M365 E3/E5 (Enterprise) | Full Conditional Access, Identity Protection, Defender for Office 365 Plan 2 (attack simulation, threat hunting), Purview compliance tools, advanced audit. Recommended for larger firms or those in highly regulated practices. |
Most small law firms should be running Microsoft 365 Business Premium at minimum. If your firm is currently on Business Basic or Standard, the security capability gap is significant, and the cost difference between Business Standard and Business Premium is typically $8 to $12 per user per month, which is far less than the cost of a single BEC incident.
The 8 M365 security controls every law firm should enable
- Multi-factor authentication enforced for all users, not just partners, not just administrators, but every account including paralegals, receptionists, and contractors. Use number matching in Microsoft Authenticator to prevent MFA fatigue attacks. Phishing-resistant MFA (FIDO2 security keys or Windows Hello) for partners and finance staff.
- Conditional Access policies, require managed, compliant devices for sign-in; block access from high-risk locations; enforce re-authentication for sensitive operations; disable legacy authentication protocols that bypass MFA entirely. Legacy protocols (IMAP, POP3, SMTP AUTH) should be blocked organization-wide, they are the bypass routes attackers use when MFA is enforced on modern authentication.
- Microsoft Defender for Office 365 with anti-impersonation protection, configure impersonation protection for all partner names and the firm’s domains; enable Safe Links and Safe Attachments; set up anti-phishing policies with aggressive thresholds for legal practice contexts. A 25-attorney firm receives 14 partner impersonation attempts monthly, these controls catch 11 of them.
- Data Loss Prevention (DLP) policies, configure DLP rules that detect and block transmission of client identifying information, Social Security Numbers, financial account data, and attorney-client privileged content via email, SharePoint sharing, and Teams messages. DLP does not replace attorney judgment, but it catches the accidental exposures that happen under deadline pressure.
- Microsoft Purview sensitivity labels and information protection, classify client documents by matter and sensitivity, apply encryption that follows the document regardless of where it is sent, and restrict printing and forwarding of the most sensitive materials. In-Place Legal Hold preserves all communications for discovery under Federal Rules of Civil Procedure Rule 37(e).
- Intune device management, enroll all firm devices in Microsoft Intune, enforce device compliance policies (encryption, screen lock, current OS), and enable remote wipe capability. A lost or stolen laptop should not become a breach, Intune remote wipe removes firm data from the device regardless of whether the device is recovered.
- Microsoft Entra Identity Protection and sign-in risk policies, enable automated risk detection that flags impossible travel, anonymous IP access, and unfamiliar sign-in locations. Configure risk-based Conditional Access to require step-up authentication or block sign-ins when risk signals are detected.
- Unified Audit Log enabled and retained, verify that audit logging is active for all users and administrator activities, particularly when integrated with managed SOC services for continuous monitoring and threat visibility. Retain logs for a minimum of 90 days. Law firm M365 forensics after an incident depend entirely on audit log availability, organizations that discover they did not have logging enabled find themselves unable to determine what the attacker accessed.
Armour Cybersecurity’s M365 Security Optimization service implements all of these controls correctly, including Conditional Access policy design, Defender configuration, and ongoing monitoring for your law firm’s specific threat profile. Explore M365 Security Optimization →
Protecting client trust accounts from wire fraud
Wire fraud targeting law firm trust accounts is the most costly single-incident type the legal sector faces. The pattern is consistent: an attacker compromises a partner’s email account (through phishing or credential theft), monitors email traffic to identify active real estate closings or settlement disbursements, then at the critical moment sends wire instructions to the client that redirect funds to an attacker-controlled account.
The M365 controls that specifically protect against this scenario:
- Enable advanced anti-phishing in Defender for Office 365 with impersonation protection for all partner email addresses, attackers creating look-alike domains to impersonate partners will be flagged before the email reaches the client.
- Configure a mail flow rule that requires out-of-band verbal confirmation for any wire transfer instruction over a defined threshold, document this process in client engagement letters.
- Set up alerts for new email forwarding rules, attackers who compromise an account frequently create forwarding rules to monitor email traffic. An alert when a new forwarding rule is created enables rapid detection.
- Enable mailbox audit logging for all accounts, ensuring that if an account is compromised, the forensic evidence of what was accessed and sent is available for the incident investigation.
The AiTM threat to law firm M365 environments
AiTM phishing bypasses MFA by stealing session tokens at the authentication moment rather than stealing credentials. A single April 2026 AiTM campaign compromised 35,000 users across 13,000 organizations in three days, all of whom were using standard MFA. Law firms running Microsoft Authenticator push notifications or SMS-based MFA are vulnerable.
The M365 controls that specifically address AiTM:
- Block the OAuth device code authentication flow via Conditional Access, this blocks the primary technical mechanism used by Kali365 and similar platforms.
- Enable Continuous Access Evaluation (CAE), reduces the usefulness of stolen tokens by enforcing real-time re-evaluation of session validity.
- Require compliant or Hybrid Azure AD joined devices for all sign-ins, an attacker who steals a session token must also simulate a managed device to replay it.
- Deploy phishing-resistant MFA for high-risk accounts, FIDO2 security keys bind authentication to the specific login domain, making token relay attacks ineffective.
Frequently asked questions
Does my law firm need Microsoft 365 Business Premium or can we use Business Standard?
For most law firms handling confidential client data, Business Standard is inadequate. It lacks Conditional Access (which controls how and when users can access M365), Intune device management (which enables remote wipe on lost devices), and Microsoft Defender for Business (which provides endpoint threat detection). Business Premium includes all three and is the minimum recommended configuration. For firms in regulated practices or those handling highly sensitive matters, E3 or E5 licensing provides additional compliance and forensic capability that may be warranted.
We have MFA enabled, are we protected against phishing?
Standard MFA (push notifications, SMS codes, TOTP) protects against credential theft but not against AiTM phishing, which steals session tokens after authentication rather than credentials before it. The 35,000 users compromised in the April 2026 AiTM campaign were all using MFA. The controls that protect against AiTM are blocking the device code authentication flow, enabling Continuous Access Evaluation, requiring compliant devices, and deploying phishing-resistant MFA (FIDO2) for high-risk accounts.
How long does it take to configure Microsoft 365 properly for a law firm?
A full M365 security implementation for a small law firm, covering Conditional Access, Defender configuration, DLP, sensitivity labels, Intune enrollment, and audit logging, typically takes 20 to 40 hours of qualified implementation work, plus device enrollment time. The investment is front-loaded; ongoing management is lighter. Many law firms attempt self-configuration and end up with partially enabled controls that create a false sense of security, which is why many firms adopt managed cybersecurity services to ensure controls remain properly configured, a partial Conditional Access implementation that excludes legacy protocols, for example, leaves the most common MFA bypass route open.
What should we do if we suspect our Microsoft 365 environment has been compromised?
Immediately revoke all active sessions for the suspected compromised account using Microsoft Entra’s ‘Revoke all sessions’ capability. Reset the account credentials. Audit the Unified Audit Log for all activity in the period following the suspected compromise: email access, forwarding rules, OAuth consents, file access. Check for new mailbox rules that may be forwarding or hiding emails. Notify your incident response services provider and legal counsel. Assess whether client notification obligations have been triggered. Do not attempt forensic analysis on your own, M365 compromise investigations require specific log analysis expertise and access to data that standard IT staff may not know how to extract.
Microsoft 365 is the operating environment of most small law firms — and it is also the primary target of the phishing, BEC, and token theft attacks that the legal sector faces in 2026. The security capability to address those threats is already included in the Business Premium license most firms have purchased. The gap is configuration, not investment, which is why a comprehensive cybersecurity assessment is often the first step toward securing a Microsoft 365 environment. Every day that gap remains open is a day that 14 partner impersonation emails arrive in attorney inboxes and 3 reach the inbox without being caught.
Armour Cybersecurity’s Microsoft 365 security optimization service configures the controls that protect your firm’s client data, privilege communications, and trust accounts — with expert implementation of Conditional Access, Defender, DLP, and phishing-resistant authentication designed specifically for legal practice environments.
