Microsoft 365 Email Security for Law Firms: How One Law Firm Got Spoofed and What I Did to Fix It

The Email Spoofing Incident That Triggered a Security Overhaul

Quick Answer

A small law firm in Northern Virginia thought their email was secure because they had Microsoft 365, two-factor authentication, and an SPF record. It was not. Their domain was being spoofed and clients were receiving fake messages that looked like they came from the firm. The fix was not buying new tools. It was turning on the ones they already had. Microsoft 365 email security for law firms requires DKIM, DMARC, Microsoft Defender for Office 365, impersonation protection, and login restrictions configured properly. Most small law firms have all of these available in their licensing. Almost none of them have it turned on.

The Email Spoofing Incident That Triggered a Security Overhaul

A small law firm in Northern Virginia was using Microsoft 365 and believed their email was secure. They had purchased their licensing, enabled two-factor authentication, and set up an SPF record. On the surface, everything appeared to be fine.

Then clients and other law firms started receiving suspicious emails that looked like they were coming from the firm's official email address.

These messages included malicious links and false requests. Some even mimicked the tone and structure of the firm's legitimate communication. One recipient flagged it before anyone interacted with the content. That is when the firm contacted me for help.

This case is a textbook example of why Microsoft 365 email security for law firms is critical, and why default settings alone are not enough to prevent impersonation or spoofing threats.

Why Microsoft 365 Email Security for Law Firms and Small Businesses Is Often Overlooked

This is not just a law firm problem. I see the same issue regularly in trades, service-based companies, and nonprofits across Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, and the broader DMV area.

Most of these businesses believe they are secure because they have two-factor authentication enabled and an SPF record set up. Those are basic steps. They are not the whole picture.

Without DKIM, DMARC, and Microsoft Defender configured, Microsoft 365 cannot verify whether an email claiming to come from your business is real or not. Many business owners do not know these protections exist. Worse, many IT providers do not turn them on by default.

Signs Your Microsoft 365 Email May Be Vulnerable

If any of these are true for your firm, your email environment is probably exposed:

• You have never been told whether DKIM and DMARC are configured for your domain

• Your SPF record exists but you do not know if it is enforced

• Microsoft Defender for Office 365 is not part of your monthly conversations with your IT provider

• Anyone in the world can attempt to log into your Microsoft 365 account from any country

• You have not seen an impersonation protection policy applied to your common mailboxes like info@ or billing@

• Your firm has received reports of clients getting strange emails "from you" that you did not send

• Your IT setup was handed off to you years ago and nobody has touched the security settings since

  
  

If you are nodding through this list, you are not alone. This is the most common gap I see in small business Microsoft 365 environments.

What I Found Missing in Their Microsoft 365 Setup

When I reviewed the firm's Microsoft 365 tenant, several important security features had never been configured:

• Microsoft Defender for Office 365 was not enabled

• DKIM and DMARC were missing entirely

• The SPF record existed but was not properly enforced

• No impersonation or phishing policies were active

• Mailbox Intelligence was not enabled

• Logins were not restricted by location, so anyone could attempt to access accounts from anywhere in the world

  
  

The firm had the right tools available. The configuration that makes those tools effective was missing.

Here Is How I Secured Their Environment

To stop the spoofing and prevent future threats, I made the following changes.

1. Enabled Microsoft Defender for Office 365 Plan 1

This activated phishing protection, safe link scanning, malware detection, and impersonation alerts.

2. Configured DKIM and DMARC

I added the correct DNS records and enabled domain signing to verify outgoing email was legitimate.

3. Corrected and Enforced SPF

I updated their SPF record to match Microsoft's best practices and made sure it was enforced to block unauthorized messages.

4. Set Up Impersonation Protection

I created policies to protect common mailboxes like info@ and billing@. I added user-level impersonation protection using Mailbox Intelligence, which uses AI to detect when someone is attempting to mimic a real user inside the organization.

5. Activated a 90-Day Microsoft Defender Plan 2 Trial

This gave the firm access to advanced features like real-time threat detection, automated investigation tools, and attack simulation training.

6. Restricted Account Access by Country

I limited login access to users located in the United States. This added another layer of protection by blocking unauthorized access attempts from outside the country.

What Is Mailbox Intelligence and Why Does It Matter?

As part of Microsoft Defender's impersonation protection, I enabled Mailbox Intelligence, which uses machine learning to understand the typical communication patterns between your team and their contacts. When an attacker tries to send a message that looks like it comes from someone inside your business, this AI-powered tool can spot the difference.

It does not rely only on display names. It looks at how your team actually communicates and flags messages that do not match the pattern. This catches advanced impersonation attempts that other filters miss.

Why SPF, DKIM, and DMARC Are So Important

These three records work together to protect your domain's reputation and prevent forged emails:

• SPF authorizes specific servers to send email for your domain.

• DKIM adds a digital signature to verify the content and the sender.

• DMARC tells receiving servers how to handle messages that fail SPF or DKIM checks.

  
  

When all three are configured and aligned, spoofed messages pretending to come from your business can be blocked before they ever reach someone's inbox.

Microsoft 365 Is Not Secure by Default

Many small businesses assume Microsoft 365 is automatically secure once it is purchased. It is not. Microsoft gives you excellent security tools. They have to be configured manually.

If email authentication is not set up, if Microsoft Defender is not enabled, or if login access is open to the world, your business may be vulnerable to spoofing, phishing, and unauthorized access. For law firms specifically, that exposure is not just a technical risk. It is a client confidentiality risk and a malpractice risk.

Think You Are Protected? You Might Want to Double-Check

Even if you have two-factor authentication and a working SPF record, that is only part of the picture. Most spoofing attacks happen outside of your user accounts. That is why securing your domain and email flow properly is essential.

If these protections were never configured during your Microsoft 365 setup, your business may still be vulnerable.

My Microsoft 365 Email Security Services Include

• SPF, DKIM, and DMARC configuration

• Microsoft Defender for Office 365 setup and policy management

• Mailbox Intelligence and impersonation protection

• Country-based login restrictions

• Microsoft Defender Plan 2 trial activation and support

• Phishing simulation and end-user training rollout

• Ongoing monitoring and practical user support

  
  

Frequently Asked Questions

What is email spoofing and how does it work?

Email spoofing is when an attacker sends a message that looks like it came from your domain when it did not. They forge the "From" address so the recipient sees your law firm's name and email. Without SPF, DKIM, and DMARC properly configured, receiving servers have no way to verify the message is fake. The recipient sees what looks like a real email from you and acts on it.

How can I tell if my law firm's email is being spoofed?

The most common sign is a client or another firm calling to ask about an email they received that you did not send. Other signs include bounce-back messages for emails you never sent, complaints about strange links coming from your domain, or notices from email security tools at the recipient's end. By the time you find out, the damage is usually already done. That is why getting ahead of it with proper authentication matters.

Is two-factor authentication enough to protect my Microsoft 365 email?

No. Two-factor authentication protects user logins. It does nothing to stop someone from spoofing your domain from outside your tenant. Spoofing happens at the email delivery layer, not the login layer. You need SPF, DKIM, and DMARC to address it. Two-factor authentication is necessary, but it is one layer of many.

What are SPF, DKIM, and DMARC, and do I need all three?

Yes, you need all three. SPF tells the world which servers are allowed to send email for your domain. DKIM digitally signs your outgoing messages so recipients can verify they were not tampered with. DMARC ties them together and tells receiving servers what to do when a message fails. Without all three configured and aligned, your domain is open to spoofing.

What is Microsoft Defender for Office 365 and is it included with my Microsoft 365 license?

Microsoft Defender for Office 365 is Microsoft's email security and threat protection product. It handles phishing detection, safe link scanning, malware filtering, impersonation protection, and attack simulation training. Defender Plan 1 is included with Microsoft 365 Business Premium. Plan 2 is included with E5 or available as an add-on. Most small law firms I work with already have access to it through their licensing. They just have not turned it on.

Does Microsoft 365 Business Standard include the email security features a law firm needs?

Not really. Business Standard does not include Microsoft Defender for Office 365. For a small law firm handling client information, Microsoft 365 Business Premium is usually the right starting point. It includes Defender Plan 1, device management, and advanced identity protection. The cost difference per user is small. The security gap between Standard and Premium is large.

Is my law firm responsible if a client is harmed by an email spoofed from my domain?

That is a legal question and the answer depends on the specifics, including whether reasonable security measures were in place. From a practical standpoint, ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. Most state bars have adopted similar language. If your domain was spoofed because basic email authentication was never configured, "reasonable efforts" gets very hard to defend. This is also a frequent question on cyber liability insurance applications.

How long does it take to fully secure a Microsoft 365 tenant for a small law firm?

For a small firm under twenty users, the core security configuration usually takes a few weeks of work spread across DNS changes, Defender setup, conditional access policies, and user training. DKIM and DMARC take a few days to verify after DNS changes. Conditional access and country restrictions can be deployed within the first week. The full hardening, including impersonation protection and phishing simulation, is typically complete inside a month.

Do you provide Microsoft 365 email security services for small businesses outside of Maryland?

Yes. I am based in Columbia, MD and serve small to mid-sized businesses across Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, and the broader DMV area. Most Microsoft 365 hardening work is done remotely, so location is rarely a factor. On-site visits are available throughout the service area when needed.

What does Microsoft 365 email security cost for a small law firm?

The licensing is usually the biggest variable. Microsoft 365 Business Premium runs about $22 per user per month at the time of writing and includes the security stack most small firms need. The configuration work is a one-time engagement based on the size of the firm and the state of the existing setup. Most small firms can be fully hardened for less than the cost of cleaning up a single email-based breach.

Book Your Microsoft 365 Email Security Checkup

Based in Columbia, MD and serving small to mid-sized law firms and businesses across Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, Delaware, and the broader DMV area, I help small firms close the gaps that most Microsoft 365 setups leave wide open.

If you want to know whether your firm's email is actually secure, contact me today and we will take a look together.