A video breakdown of social engineering attack targeting law firms

Watch the video breakdown:

BleepingComputer reports that Silent Ransom Group is actively targeting U.S. law firms and professional services organizations using invoice-themed emails followed by fake IT support calls. Mandiant says the group, tracked as UNC3753, Luna Moth, and Chatty Spider, targeted dozens of legal, financial, and professional-services organizations between January and May 2026.

The attack path is simple: a benign-looking email creates the pretext, then an attacker posing as IT talks the victim into a remote support session over Teams, Zoom, Quick Assist, or similar tools. From there, they push remote management software like AnyDesk or Zoho Assist, search for sensitive legal and financial documents, exfiltrate data with tools like WinSCP or Rclone, and move quickly to extortion. According to Mandiant, ransom demands can arrive within 30 minutes of the attackers leaving the environment.

Why this matters: law firms carry the exact files extortion groups want. They hold client transaction records, M&A plans, tax records, regulatory material, trade secrets, and privileged communications. The pressure is not limited to stolen data. Attackers can also threaten client trust, regulatory exposure, and lawsuits.

Ransomware crews do not need encryption when the data itself creates enough pressure. The notable part here is not a new exploit. It is the coordination around voice phishing, remote access tooling, fast theft, and direct pressure on clients and employees. A lot of defenses still treat this as an email security problem, but this campaign points more toward help desk verification, remote tool governance, SaaS/document repository monitoring, and employee confidence during unexpected IT contact.