Why Every Law Firm Needs Identity Threat Detection in 2026

Introduction

Law firms are prime targets for identity-based cyberattacks. Business email compromise (BEC) targeting legal professionals has surged to record levels in 2026, with attackers specifically pursuing access to privileged attorney-client communications, trust accounts, and settlement funds. The traditional perimeter-based security model is no longer sufficient — the identity IS the new perimeter.

This article explains why Identity Threat Detection and Response (ITDR) has become a non-negotiable layer of security for any law firm operating on Google Workspace or Microsoft 365. If you're still relying solely on standard email filtering and endpoint protection, your firm has a critical blind spot.

The Threat Landscape for Law Firms in 2026

Law firms have become incredibly attractive targets for sophisticated threat actors, and the numbers back this up. Business email compromise attacks specifically targeting the legal industry have accelerated dramatically, with attackers executing multi-stage campaigns that often span weeks or months.

Here's why your firm is on the radar:

• Trust accounts and settlement funds. Law firms hold client money in escrow. A single compromised attorney account can lead to wire transfers of hundreds of thousands of dollars.
• Privileged attorney-client communications. Email access gives attackers a window into confidential case details, settlement negotiations, and legal strategy — information worth real money to competitors or bad actors.
• Client data and personal information. Law firms collect and store social security numbers, financial details, and personal information at scale. A data breach impacts not just the firm, but every client you represent.
• High-value targets with limited security maturity. Many smaller and mid-sized firms operate with basic security controls. Attackers know this and have adapted their techniques accordingly.

The financial impact is staggering. Recent incident response data shows that average BEC losses for law firms range from $25,000 to over $500,000 per incident. And that's just direct financial loss — add in regulatory notification obligations, forensic investigation, client trust damage, and potential malpractice exposure, and the real cost becomes exponential.

Attack vectors have evolved too. Credential stuffing attacks exploit reused passwords across multiple services. Session hijacking steals active browser tokens. OAuth token abuse grants attackers persistent access through compromised integrations. And then there's the technique that defeats most MFA implementations: adversary-in-the-middle (AiTM) phishing, which captures MFA tokens in real time as users enter them.

What Is Identity Threat Detection and Response (ITDR)?

Identity Threat Detection and Response is real-time monitoring of identity-based threats across your cloud platforms. It's fundamentally different from traditional endpoint detection and response (EDR) because it operates at the identity layer — the layer where your employees actually authenticate and access data.

While EDR watches what happens on a device, ITDR watches what happens after someone logs in. And in today's cloud-first world, that's where the real action is.

Key ITDR capabilities include:

• Suspicious login detection. ITDR systems analyze login patterns in real time. Impossible travel scenarios (logging in from New York and then London within 30 minutes), unusual login times, access from unfamiliar locations, and logins from impossible geolocations are flagged immediately.
• OAuth app abuse monitoring. Attackers use consent phishing to trick users into authorizing malicious third-party applications. ITDR detects when OAuth tokens are abused and can revoke suspicious app permissions.
• Mail rule tampering alerts. A compromised email account is often used to set up forwarding rules or deletion rules that hide evidence. ITDR alerts on suspicious mail rule changes in real time.
• Session anomaly detection. Even after successful authentication, ITDR monitors user behavior — file access patterns, email forwarding, data downloads. Anomalies trigger investigation.
• 24/7 SOC analyst response. Unlike automated alerts that often create alert fatigue, ITDR solutions backed by 24/7 Security Operations Center (SOC) analysts triage threats, investigate suspicious activity, and execute response actions immediately.

The key difference: traditional email filtering and endpoint protection are reactive. ITDR is proactive. It monitors the identity layer continuously and responds to threats in real time, often before any damage occurs.

Why MFA Alone Isn't Enough

You've heard this before: "Just enable MFA." And it's true — MFA is essential. But it's far from sufficient, and attackers have evolved their techniques accordingly.

Here are the gaps:

MFA fatigue attacks. Attackers obtain valid credentials (through credential stuffing or phishing) and then trigger repeated MFA prompts. After the sixth or seventh prompt, users become fatigued and simply click "Approve" without thinking. It works surprisingly often.

Adversary-in-the-middle (AiTM) phishing. Modern phishing kits don't steal credentials anymore — they act as a proxy between the user and the legitimate login page. The user enters their username, password, and MFA code directly into the phishing page, which relays it in real time to the legitimate service. The user gets logged in successfully, and the attacker captures a valid session token that works for hours or days.

Session token theft. Even after a user successfully authenticates with MFA, their session token (a long-lived credential) can be stolen through browser malware, network interception, or application compromises. These stolen tokens bypass MFA entirely.

OAuth consent phishing. Attackers send emails that look like legitimate app authorization requests from Microsoft or Google. Users click "Authorize" and grant the attacker's malicious application access to their email, files, and calendar. No password, no MFA — just a simple click.

ITDR detects what happens AFTER authentication. It sees the impossible travel, the unusual file access patterns, the mail rule changes, the suspicious OAuth permissions. MFA gets you past the front door. ITDR is the security inside your home.

Real-World Impact — What We've Seen

Primetime IT Solutions has deployed Huntress ITDR across several client Google Workspace environments serving law firms. During a recent 9-month monitoring period, the platform identified and blocked 6 documented security events.

Each event represented a potential account compromise that could have led to unauthorized access to client data, email takeover, or data exfiltration. Here's what's critical: without ITDR, these events would have gone completely undetected by standard email filtering and endpoint protection.

Think about that for a moment. Six separate incidents that would have silently compromised law firm email accounts, with zero visibility from traditional security tools. The attackers would have had access to privileged communications, client trust account details, and settlement information.

ITDR caught them. Not through luck. Through real-time monitoring of the identity layer and human analysts verifying and responding to suspicious activity 24/7.

Google Workspace and Microsoft 365 — Different Platforms, Same Risk

Whether your firm runs Google Workspace or Microsoft 365, the risk profile is identical. Both platforms are cloud-first, identity-centric environments where the identity IS the security boundary.

Google Workspace considerations:

• OAuth app ecosystem is expansive but risky. Users can authorize third-party apps with access to email, calendar, and Drive.
• Google Drive data exposure happens when shared drives are misconfigured or when Drive shortcuts expose sensitive files.
• Mail delegation abuse allows attackers to monitor email without changing the password.

Microsoft 365 considerations:

• Entra ID (Azure AD) attack surface includes application registrations, service principals, and consent grants that most firms don't monitor.
• Conditional access policies, when misconfigured, can fail to block high-risk logins.
• Power Automate and Microsoft Graph API abuse allows attackers to automate data exfiltration or email forwarding.

The good news: ITDR monitors the identity layer regardless of platform. Huntress ITDR for Google Workspace and Microsoft Defender for Microsoft 365 both provide the same core protection — real-time detection of identity-based threats with SOC analyst response.

Additionally, many ITDR solutions include integrated Data Loss Prevention (DLP) capabilities that extend protection to file sharing and external access. You can prevent sensitive documents from being shared externally or restrict data downloads from high-risk locations.

What Law Firms Should Do Now

If you run Google Workspace or Microsoft 365, ITDR should be at the top of your security priorities. Here's a practical checklist:

• Deploy ITDR across all identities. Don't just monitor a few accounts. Enable it for every attorney, paralegal, and staff member. The attacker doesn't care about title — any email account is a potential entry point.
• Implement identity-aware conditional access policies. Both Google Workspace and Microsoft 365 support conditional access rules. Enforce MFA for all users, block logins from risky locations, and require passwordless authentication where possible.
• Enforce phishing-resistant MFA (FIDO2, passkeys). Legacy MFA methods (SMS, authenticator apps) can be circumvented. FIDO2 security keys and passkeys are phishing-resistant — they cryptographically bind to the legitimate website and can't be tricked by AiTM phishing.
• Conduct quarterly security posture reviews. Work with a managed security provider to review identity settings, OAuth permissions, mail rules, and external sharing configurations. Drift happens. Regular reviews catch it.
• Establish documented incident response procedures. If ITDR detects a compromised account, your team needs a clear runbook: How do you isolate the account? How do you investigate? What do you communicate to clients and regulators? Practice this regularly.
• Partner with a managed security provider. ITDR requires expertise to implement and monitor effectively. Partner with a provider offering 24/7 SOC monitoring, rapid incident response, and regular threat reporting.

The Cost of Doing Nothing

Let's talk about the financial reality of a BEC incident in a law firm.

A single incident can cost $25,000 to $500,000+ in direct losses. But that's just the starting point. Add regulatory notification obligations (GDPR, state data breach laws), forensic investigation costs, client notification, credit monitoring services for affected clients, and potential malpractice exposure. The real cost easily reaches seven figures for a serious incident.

Now consider the cost of ITDR. At typical pricing of $15 per identity per month, a 47-identity law firm pays approximately $705 per month, or $8,460 annually. That's less than the retainer on a single legal matter.

The math is simple: ITDR costs are a fraction of a single incident. It's not an expense — it's insurance.

Conclusion

Identity-based threats aren't slowing down. They're accelerating. Threat actors have refined their techniques, built sophisticated tooling, and identified law firms as high-value targets. They're going to keep attacking.

Law firms that rely solely on endpoint protection and basic MFA are operating with a critical blind spot. They have visibility into threats on devices and at the perimeter, but nothing monitoring what happens after authentication — where the real damage occurs.

ITDR fills that gap. It monitors the identity layer in real time, detects threats that bypass traditional security controls, and enables rapid response before damage occurs. For any law firm using Google Workspace or Microsoft 365, identity threat detection should be at the top of your security priorities in 2026.

The cost is minimal. The peace of mind is invaluable.

Laz De La Vega

Laz De La Vega is the Owner and vCIO of Primetime IT Solutions, a managed IT and cybersecurity firm serving South Florida businesses since 2007. He specializes in helping law firms, professional services firms, and growing businesses secure their cloud infrastructure and respond to cybersecurity threats.

Learn more about Laz →