Threat Intelligence & Incident Response
How BEC and closing-wire-fraud actually unfold in a law firm — the impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first four hours.
The wires that disappear from law firms almost never disappear because of malware. They disappear because someone replied to a live closing thread on a Friday morning with new bank details, the paralegal moved the money, and nobody picked up the phone.
Once you have seen the pattern run, you stop arguing about whether it can happen at your firm and start asking what is in place to catch it.
There are four mailboxes in any closing or settlement: buyer, seller, agent or lender, and the law firm. The attacker only needs one. They get inside, read the thread, and wait.
They are watching for two things — a closing date and a wire-instructions email. When those land, they have everything they need. They reply to the live thread from inside a real mailbox, against the real matter, same signature, same tone.
"Quick note — our bank is finalizing changes on the old account. For Friday's wire, please use the updated instructions below."
The wire goes. The escrow officer has no reason to suspect anything — real address, real thread, right amount. Nothing looks wrong until the real lender calls Monday. By then the money has been pulled out the back of a receiving bank, layered through downstream accounts, and is on its way out of US jurisdiction.
A law firm is the relay point in money movement almost nobody else sits at — closing escrow, settlement payouts, IOLTA disbursements, estate distributions. Any time a firm sits between two parties moving meaningful money, the firm is the target. Even when the firm's own email is clean, it is still the wire-instruction relay point — which is exactly where the attacker wants to inject.
That structural exposure is why this attack keeps producing six- and seven-figure losses at firms that thought they were too small to be interesting. The number of attorneys does not matter. The dollar amount on a single closing does.
This is a composite — not one specific firm — but every beat has happened at real closing-focused practices over the last two years.
Tuesday. A paralegal at a small real estate firm receives what looks like an Adobe Sign request from a title company the firm closes with every week. The link asks her to authenticate with Microsoft 365. She enters credentials, approves the Authenticator prompt, a generic viewer loads, and she moves on.
She entered credentials on a proxy. An adversary-in-the-middle kit forwarded the password to the real Microsoft login, captured the MFA prompt, forwarded that, and captured the post-authentication session cookie.
Wednesday. The attacker logs in from another country using the stolen cookie. Because the cookie is post-MFA, Microsoft treats them as fully authenticated — no second prompt, no alert. They create an inbox rule that is the real fingerprint of this attack:
The paralegal never sees the incoming lender wire instructions or the title company replies. The attacker does.
Thursday. The attacker watches a $1.2M residential closing thread come together. The lender sends formal wire instructions. The rule routes a copy to the attacker and hides the original. The attacker now has the closing date, the dollar amount, the lender's wording, and the escrow flow.
Friday, 9 a.m. The attacker, posing as the lender on a reply to the live thread, sends "updated" wire instructions to the firm's escrow officer — in the existing chain, under the real subject line, with the lender's signature block.
Friday, 11 a.m. The escrow officer initiates the wire. $1.2M moves.
Monday. The real lender calls about the unfunded closing. The escrow officer pulls up the thread, reads the "updated instructions" message, and the floor falls out.
MFA is necessary, but the version most firms have — a push notification or a six-digit code — does not stop adversary-in-the-middle.
Public AiTM phishing kits like EvilProxy, Tycoon, NakedPages, and Mamba 2FA have been widely documented across 2024 and 2025. They are sold as subscription services. They proxy the real Microsoft login and capture the session cookie Microsoft issues after MFA is satisfied. Once that cookie is replayed, the tenant cannot tell the attacker apart from the paralegal whose credentials they stole.
The factors that resist this cleanly are phishing-resistant — FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Most small firms are not there yet. Treat MFA as one layer and add at least one more.
This is where managed identity threat detection earns its keep. The signal pattern is loud if anyone is watching:
Managed ITDR — the Huntress identity product we deploy for law firm clients — catches all four in minutes. The mailbox-rule anomaly is among the highest-confidence detections in identity security, because real users almost never create rules that hide closing or wire keywords from themselves.
Every closing-wire-fraud case I have walked through could have been stopped by a phone call. Not a tool. A phone call.
The controls worth more than any technical layer:
If you implement only the callback rule, you eliminate most of the realistic loss path.
The next four hours decide how much money you get back and how clean the breach response is.
A compromised law firm mailbox is almost never just a closing thread. It holds correspondence on other matters, draft documents, client strategy, settlement positions, and anything else the attorney has emailed over the last few years.
If an attacker had access to that mailbox, Formal Opinion 483 imposes a notification duty to the current clients whose information was reasonably likely to have been affected. Wire fraud is the trigger event; client notification flows from there. A defensible analysis requires the audit log evidence — exactly what a rushed "cleanup" reflex destroys in the first hour.
A wire-fraud loss typically pulls from two parts of the insurance stack at once:
Both should be triggered. Firms sometimes notify one carrier and leave coverage on the table, or notify late and lose it entirely. Call the broker the same day and let them coordinate.
If the wire moved trust funds, the disciplinary exposure runs alongside the cyber loss. State bars have effectively zero tolerance for IOLTA failures, even unintentional ones. Reconciliation records, the audit trail of who touched the trust ledger, and the bookkeeping treatment of the loss are all about to be examined.
Bar reporting varies by state. The safer posture is to assume reporting is required and involve trust accounting counsel within the first day. Restoring trust account integrity — often by the firm advancing funds while recovery is pursued — is the immediate fiduciary question.
The partners who have lived through this say the same thing afterward: it was not really a technical failure. It was a process failure compounded by a credential-theft event. Both ends needed fixing.
The credential theft is what MDR and ITDR are for — Managed Detection and Response on endpoints, Managed ITDR on Microsoft 365 identities. Those catch the AiTM signature, the foreign sign-in, the mailbox rule, and the token replay before the wire goes. The process failure is what the callback policy, dual-approval rule, and Managed SAT program are for. Those catch the wire even when the credential theft slips through.
We deploy Huntress Managed ITDR — Protected and Complete tiers — for law firms because the inbox-rule and foreign-sign-in detections are the highest-leverage controls against this attack. A hidden "wire/closing/escrow" forwarding rule fires a detection within minutes — hours or days before the fraudulent wire would otherwise be initiated.
We pair it with Managed SAT focused on payment-redirect and Adobe Sign lure scenarios, and a short tabletop on the callback policy so that when the moment comes, nobody is making it up in real time.
If you are not sure where your firm stands on the controls above, that is the conversation to have before a Friday morning arrives with a seven-figure closing.
Talk to us about Managed ITDR for your firm or review your cyber insurance readiness before renewal.
Last updated: May 14, 2026.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Closing wire fraud is a specific flavor of business email compromise that targets a live real estate closing, settlement, or trust disbursement. The attacker compromises one of the four mailboxes in the thread — buyer, seller, agent, or law firm — sits silently on the conversation, and then injects 'updated' wire instructions at the exact moment the funds are about to move. Regular BEC redirects an invoice. Closing wire fraud redirects a one-time, six- or seven-figure transfer that the firm is responsible for relaying.
No. MFA stops password-stuffing attacks but adversary-in-the-middle phishing kits like EvilProxy, Tycoon, NakedPages, and Mamba 2FA proxy the real Microsoft login and steal the post-MFA session cookie. Once that cookie is replayed, your tenant cannot tell the attacker apart from your paralegal. MFA is necessary but it is not a finish line — especially when six-figure wires are moving.
Callback verification means any change to wire instructions — even a routing-number tweak — requires a phone call to the other party on a number from the engagement letter or original onboarding record, not the number in the email signature. The attacker controls the email thread but does not control the lender's or title company's phone. That single phone call catches almost every closing fraud attempt.
Sometimes, if you move fast. The FBI's Financial Fraud Kill Chain is run in coordination with banks and can recall domestic wires when the request reaches the receiving bank before the funds are layered out. IC3 expanded the program's coverage in 2024 and 2025. Hours matter — by the next business day, recovery odds drop sharply.
You should, and quickly. IC3.gov is the FBI's front door for BEC and the entry point for the Financial Fraud Kill Chain. File the initial report the same day with whatever you know. You can update it as forensics fills in the picture. Reporting does not require you to be certain about everything that happened.
Likely yes. Formal Opinion 483 establishes a duty to notify current clients when their confidential information has been compromised by a cyber incident. If the compromised mailbox held correspondence, documents, or strategy for clients beyond the one whose closing was hit, those clients have a reasonable claim to be notified. Engage outside ethics counsel early — this is not a question to answer from intuition.
Usually it splits across two coverages. The wire-fraud loss itself is paid under the crime rider or social engineering fraud sublimit, which is commonly $25,000 to $250,000 — often far below the headline cyber limit. The cyber policy pays the forensics, mailbox investigation, breach counsel, and notification costs. Both carriers should be notified within the policy window, usually 24 to 72 hours.
Significant. State bars have effectively zero tolerance for IOLTA failures, even unintentional ones. If the wire moved from the trust account, the firm faces a cyber loss and a disciplinary exposure at the same time. State bar reporting may be required, and the firm's bookkeeping records, audit trail, and reconciliation history will all be scrutinized. Loop trust accounting counsel in within the first 24 hours.
Related reading
How BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read articleWhy ransomware operators target dental practices, how attacks land on Dentrix and Eaglesoft, what a real incident week looks like, and the controls that actually break the chain.
Read articleWhy ransomware operators target law firms specifically, how the attack chain works against a typical practice, what a real incident week looks like, and the controls that actually break the chain.
Read article