A recent case study describes a hacking incident that affected 50 global businesses by using stolen employee login credentials. The common factor was that multi-factor authentication was not mandatory on key systems.
The attackers utilized infostealer malware to steal usernames, passwords, session cookies, and other authentication credentials from compromised machines. After the credentials were made available on the dark marketplace, threat actors could easily enter the corporate environment with minimal effort.
The MFA gap
To be clear, these breaches were not caused by sophisticated zero-day attacks.
They were caused by simple credential theft attacks and poor authentication mechanisms. In some instances, the organization had the capability to enforce multi-factor authentication but had not done so for all users and applications. This left on open door for the attackers.
Also to be clear, the breached companies were not lacking in security budget. They are large, global names that span various industries from health care to law firms.
The Result
Cost ramifications of the breached companies has not been released. You can expect that the costs of incident response, business disruption and regulatory issues would not put it on the small size.
However, the most important consequence of a breach is damage to reputation. That’s harder to measure and more costly to get back.
Similar to local law firms, the situation is different but the risk is just as great.
The most valuable resource of your firm is trust. Communications with clients, financial information, litigation plans, medical information, and intellectual property are all contained within email accounts, document management software, and cloud storage.
When the credentials of a single employee are compromised by an infostealer malware infection, an attacker can potentially obtain access to the following:
- Microsoft 365 email and SharePoint
- Practice management software
- Cloud file storage
- Billing and accounting platforms
- Remote access portals
Once compromised, malicious actors can covertly exfiltrate client data, create mailbox forwarding rules, use wire transfer fraud schemes by impersonating lawyers, or launch ransomware attacks.
Even if the incident is remediated promptly, the law firm can still be confronted with client notification obligations, State Bar inquiries, and issues with cyber insurance claims. Most insurers now demand proof of MFA enforcement as a coverage requirement.
Closing the gap
The security report comes with one very clear message. Size is not a factor in vulnerability. It is basic security hygiene.
Multi-factor authentication specifically addresses the failure point used in this attack. When MFA is enforced, the attacker will not only need the password but also the second factor, such as a hardware token, approval on the authentication app, or biometric data. This adds an extra layer that stops most credential stuffing and infostealer-driven attacks.
However, there are some exceptions. If a session cookie is stolen and used before it expires, MFA might not be triggered in the same manner. If a user approves a phishing push notification, access can still be gained. However, overall MFA enforcement will still lower the success rate of opportunistic attacks that rely on credential theft.
What should you do?
The practical steps are clear:
- Enforce MFA for all Microsoft 365 accounts without exception.
- Require MFA for practice management, remote access, and document systems.
- Disable legacy authentication protocols.
- Monitor for impossible travel logins and suspicious sign in activity.
- Align MFA settings with cyber insurance and State Bar guidance.
This is not a theoretical security exercise. It is a step that directly breaks the chain of attack.
The final verdict
Law firms are working under tight deadlines and high expectations. A preventable credential-based breach will have a negative impact on both.
MFA is not complex to implement, and it doesn’t need drastic changes to the infrastructure.
It needs leadership to make enforcement non-negotiable.
This is what I would like to know if I were you. If an attacker has managed to get one of your staff members’ passwords today, what is actually going to stop them from logging in?