Executive Summary
A 35-person regional law firm specializing in corporate transactions, real estate, and estate planning engaged an outside security firm for a penetration test after their malpractice insurance carrier began requiring evidence of cybersecurity controls. The firm had been using Microsoft 365 for email and document storage for four years and had a small on-premises server for legacy case files.
During testing, the engagement team discovered that the firm's Microsoft 365 environment had significant gaps in its security configuration. By performing a password spraying attack against the firm's externally accessible login portal, testers were able to:
- Compromise a paralegal's account using a commonly-used password pattern with no multi-factor authentication blocking the login
- Access the paralegal's email inbox containing attorney-client privileged communications, engagement letters, and settlement figures
- Navigate to SharePoint and OneDrive, where hundreds of folders had been shared with "Anyone with the link" permissions, exposing merger documents, due diligence files, and estate planning records
- Use the same credentials to VPN into the firm's internal network, where an on-premises file server held 8 years of unencrypted case files accessible to every domain user
The firm's managing partner was unaware that MFA was not enforced on all accounts, that SharePoint sharing permissions were this permissive, or that the internal file server was accessible with any valid domain credential. All 9 critical findings were remediated within 45 days.
The Client
The firm had built a strong reputation over two decades serving business clients in a competitive regional market. Their practice areas -- corporate M&A, commercial real estate, and estate planning -- meant they routinely handled highly sensitive financial information, personally identifiable information, and documents protected by attorney-client privilege.
The firm had an outsourced IT provider that managed their Microsoft 365 tenant and maintained a small on-premises server. Security had never been formally assessed. The managing partner's assumption was that Microsoft's built-in protections were handling it.
"We're paying for Microsoft 365 Business Premium. We assumed the security features were turned on. That's what we were paying for, right? Turns out, buying the license and configuring it properly are two very different things." -- Managing Partner
The Engagement
Penetration tester Derek Hollins led the assessment, beginning with external reconnaissance of the firm's internet-facing footprint before moving to the internal network.
A password that worked on the first try
The firm's Microsoft 365 login portal was accessible at the standard URL. Derek began with a controlled password spraying attack -- testing a small number of commonly used password patterns against all known user accounts, carefully staying below lockout thresholds.
Within the first round of testing, one account returned a successful authentication: a paralegal whose password followed the pattern of the firm's name, the current year, and a special character. No MFA challenge was presented.
"The password was essentially the firm's name with '2026!' at the end. We see this pattern at almost every organization we test. People think they're being clever because it has uppercase, lowercase, numbers, and a special character. It meets every complexity requirement. But it's the first thing we try." -- Derek Hollins, Penetration Tester
MFA was configured only for the attorneys' security group. Paralegals, administrative staff, and the firm administrator account had no MFA requirement. Legacy authentication protocols (POP3, IMAP, SMTP AUTH) were still enabled tenant-wide, which bypass MFA even for accounts where it is configured.
An inbox full of privileged information
With valid credentials and no MFA, Derek had full access to the paralegal's Microsoft 365 account. The email inbox alone contained years of attorney-client privileged communications, including:
- Engagement letters with fee structures and client financial details
- Draft settlement agreements with specific dollar amounts
- M&A due diligence checklists referencing confidential business valuations
- Estate planning documents containing Social Security numbers, bank account numbers, and beneficiary information
- Internal strategy emails between attorneys discussing case strengths and weaknesses
The paralegal supported three attorneys and had been copied on virtually every substantive communication for the past two years.
A single compromised user account provided access to years of privileged communications, financial documents, and PII. No data loss prevention controls or access anomaly detection was in place.
SharePoint: "Anyone with the link"
The compromised account also provided access to the firm's SharePoint and OneDrive environment. What Derek found there was worse than the email.
Hundreds of document folders in SharePoint had been shared using "Anyone with the link" permissions -- meaning anyone with the URL, even without a firm account, could access the contents. Among the exposed folders were active M&A deal rooms, closing binders with executed documents, and client financial statements.
"The attorneys thought they were sharing documents with their clients by sending a link. They didn't realize the sharing setting was 'Anyone' instead of 'Specific people.' There were deal documents for transactions worth tens of millions of dollars sitting behind nothing but a URL." -- Derek Hollins, Penetration Tester
Hundreds of SharePoint folders containing attorney-client privileged documents, M&A materials, and client PII were shared with "Anyone with the link" permissions. No tenant-level policy restricted external sharing to authenticated recipients.
The VPN and the file server
The firm operated a VPN for remote access, and the compromised paralegal's credentials worked there as well. Once on the internal network, Derek discovered an on-premises file server hosting the firm's legacy case management files -- everything predating the move to Microsoft 365 four years earlier.
The file server had a simple share structure: folders organized by client name, then by matter. Eight years of case files. The share permissions were set to "Domain Users: Full Control," meaning any valid domain account could read, modify, or delete any file.
An on-premises file server containing approximately 8 years of client case files was accessible to all domain users with full read/write permissions. Files were unencrypted. No access auditing was enabled.
Former employees still in the directory
During the Active Directory review, Derek identified seven user accounts belonging to individuals who no longer worked at the firm. Three had left more than a year earlier. None of the accounts had been disabled. All still had valid credentials and access to the same file shares.
Seven Active Directory accounts belonging to former employees were still active, including three who had departed more than 12 months prior. These accounts retained full access to file shares, email (if licensed), and VPN.
Account manager Rachel Morrison helped facilitate the findings presentation to the firm's partners.
"The room was completely silent when Derek showed the SharePoint finding. One of the partners pulled up a folder on her phone right there in the meeting -- a deal she'd closed six months ago -- and realized anyone with the link could still see every document. She turned to the IT provider and said, 'Why didn't you tell us this was possible?' And the honest answer was, nobody had ever checked." -- Rachel Morrison, Account Manager
The Impact
The exposure was significant on multiple levels. As a law firm, the data at risk wasn't just sensitive -- it was legally privileged. A breach of this nature would trigger not only regulatory obligations but also professional ethics reporting requirements. The consequences could have included:
- Mandatory notification to every client whose privileged information was exposed
- Bar association ethics complaints and potential disciplinary proceedings
- Malpractice claims from clients whose deal terms, litigation strategies, or financial details were compromised
- Loss of clients who could no longer trust the firm with confidential matters
- Regulatory fines under state data breach notification laws
- Reputational damage that could take years to recover from
In 2023, one major law firm paid $8 million to settle a class action after hackers stole personal data from an unencrypted file share. Another firm had 184,000 privileged documents exposed for six months on an unsecured cloud server before anyone noticed. These are not hypothetical risks.
The Remediation
45-Day Remediation Timeline
- Day 1: All seven stale employee accounts disabled. Legacy authentication protocols (POP3, IMAP, SMTP AUTH) disabled tenant-wide.
- Days 1-3: MFA enforced for all user accounts with no exceptions. Conditional Access policies configured to require MFA on every login, block legacy auth, and require compliant devices.
- Week 1: SharePoint sharing audit conducted. All "Anyone" links revoked. Tenant-level sharing policy changed to "Specific people only" as the default, with "Existing guests" as the maximum permitted.
- Weeks 2-3: File server permissions overhauled. Role-based access groups created for each practice area. Case files restricted to the assigned attorney team. Audit logging enabled on all shares.
- Weeks 3-4: Firm-wide password reset with new 14-character minimum policy. Common password patterns (firm name, seasons, years) added to the custom banned password list in Azure AD.
- Weeks 4-5: Employee offboarding checklist created and integrated with HR process. Automated account disable workflow configured for departing employees.
- Week 6: Validation test performed. All critical and high-severity findings confirmed remediated. MFA successfully blocked all password spray attempts.
What Could Have Happened
Law firms are increasingly targeted by both cybercriminals and nation-state actors because they hold concentrated, high-value data. A single firm's servers can contain the financial details of dozens of businesses, the personal information of thousands of individuals, and litigation strategies that adversaries would pay to see.
In this case, the path from the internet to eight years of privileged client files required nothing more than a common password and an account without MFA. No exploits. No malware. No sophisticated techniques. Just a predictable password and a series of configurations that nobody had ever reviewed.
"The scariest part isn't what we found. It's how long it had been that way. We migrated to Microsoft 365 four years ago, and for four years, nobody checked whether the security settings were actually configured. We were relying on assumptions the entire time." -- Managing Partner
The firm now operates on a semi-annual testing cycle and has engaged a security-focused IT provider to manage their Microsoft 365 tenant. The managing partner has also become an advocate for security testing among peer firms in their professional association.
Are Your Security Assumptions Actually Verified?
Most firms believe their cloud environment is secure because they pay for it. A penetration test shows you what's actually configured. Schedule a free consultation to find out.
Book a Free Consultation