Law Firms Are Being Targeted Through Social Engineering and Data Extortion

Cyberattacks do not always begin with malware, suspicious links, or stolen passwords. Sometimes, they begin with a phone call.

A recent report from Google Cloud's Mandiant team highlights an ongoing campaign against U.S. law firms and other professional services organizations. The activity is linked to a financially motivated threat group tracked as UNC3753, also known as Luna Moth, Chatty Spider, and Silent Ransom Group.

This is not a brand-new type of attack. Social engineering, voice phishing, remote access abuse, and data extortion have been around for years. What makes this campaign important is who is being targeted, how quickly the attackers move, and how much they rely on trust instead of technical exploits.

How the Campaign Works

The attack often starts with an invoice-themed email. In many cases, the message may not include a malicious link or attachment. Instead, it creates confusion and gives the attacker a reason to follow up.

After that, the target receives a phone call from someone pretending to be part of internal IT, security, or the helpdesk. The caller may claim there is a billing issue, a data migration problem, or a security concern that needs immediate attention.

The attacker then convinces the employee to join a screen-sharing session using tools such as Zoom, Microsoft Teams, Quick Assist, or similar platforms. From there, the victim may be guided into installing remote access tools like AnyDesk, Bomgar, Zoho Assist, or other legitimate remote management software.

Because these tools are often used by real IT teams, they may not immediately look suspicious.

Why Law Firms Are Valuable Targets

Law firms hold highly sensitive information. This can include client files, contracts, legal strategies, financial records, tax documents, personally identifiable information, merger and acquisition details, and confidential business communications.

For extortion groups, that kind of data is valuable because it creates pressure. A law firm may face reputational damage, client trust issues, regulatory exposure, and legal consequences if sensitive information is leaked.

That pressure is exactly what attackers try to use.

In the campaign described by Mandiant, attackers searched through document-heavy environments such as OneDrive, SharePoint, mapped network drives, iManage, and email. They looked for sensitive material, staged the data, and then moved it out using cloud storage, file transfer tools, browser uploads, consumer email, WinSCP, or Rclone.

The Speed of the Intrusions Matters

One of the most important details in the report is how quickly these incidents can unfold.

In some cases, the time between first contact, data theft, and extortion was less than a single business day. In some incidents, attackers began searching for and staging data in under an hour.

That speed matters because it leaves very little room for slow detection or delayed response. Organizations cannot rely only on after-the-fact investigations. Employees need to know what these tactics look like before they are targeted.

The Physical Security Angle

The report also notes possible activity involving people showing up in person while pretending to be IT technicians. In those cases, the goal may be to gain physical access to an office computer and copy data directly to USB storage.

That detail is a useful reminder: cybersecurity is not limited to firewalls, email filters, and endpoint tools.

Reception procedures, visitor verification, technician check-ins, escorted access, and USB restrictions are all part of the security picture. If someone can walk into an office and convince staff they belong there, technical controls may not be enough.

What Organizations Should Do

The best defense against this kind of activity is verification.

Employees should be trained to pause when they receive unexpected calls from "IT" or "security." If someone asks for screen sharing, remote access, software installation, or help accessing files, the employee should verify the request through an official internal channel.

Organizations should also limit which remote access tools are allowed. Unauthorized remote management software should be blocked, and approved tools should be monitored closely.

For law firms and other organizations that handle sensitive documents, security teams should watch for unusual file activity. This includes large downloads, sudden spikes in searches, mass access to client folders, unexpected archive creation, and uploads to consumer cloud storage.

Physical access should also be treated carefully. Anyone claiming to be a technician should be verified against a scheduled work order, checked with an official internal contact, logged, and escorted while onsite.

The Bigger Lesson

This campaign is a strong reminder that attackers do not always need to "hack in" through a technical weakness. Sometimes they get in by sounding helpful, urgent, and familiar.

A fake invoice, a convincing phone call, a screen-sharing request, or a person at the front desk can all be part of the same intrusion path.

For law firms, the risk is especially serious because the data they hold belongs to clients who expect confidentiality. Protecting that information means defending systems, but it also means protecting the everyday moments where employees are asked to make quick decisions under pressure.

The best defense is not panic. It is a culture where people feel comfortable stopping, checking, and verifying before they act.

Source: Google Cloud / Mandiant, "Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms," published June 5, 2026.