top of page

Microsoft 365 Email Security for Law Firms: How One Law Firm Got Spoofed and What I Did to Fix It

  • Writer: Shay
    Shay
  • Jun 13, 2025
  • 6 min read

Updated: Apr 17

The Email Spoofing Incident That Triggered a Security Overhaul

“Branded blog header with digital shield and courthouse icon, illustrating Microsoft 365 email security for law firms, with SNL Tech Services logo”

The Call That Started It All

A small law firm in Northern Virginia reached out to me after something they never expected happened.

Clients started receiving suspicious emails that looked like they came from the firm. Same email address. Similar tone. Requests that seemed legitimate. Until one client looked closer and flagged it.


This is one of the most common calls I get. It's exactly why Microsoft 365 email security for law firms needs to be a priority, not an afterthought


No one clicked anything. No money moved. But the damage to trust? That was real.

When they called me, they were convinced their account had been hacked. It hadn't.

What actually happened was quieter than that. And more common than most law firms realize.




Why Law Firms Are a Target

Law firms handle sensitive client data, financial transactions, and confidential communications every single day.


That makes them valuable.


Attackers know that a spoofed email from a law firm's domain is more likely to be trusted. More likely to get someone to act without questioning it.


And here's what makes it worse: most small and mid-sized law firms in the DMV area, Northern Virginia, and Maryland are running Microsoft 365 with the default settings. No one ever told them the defaults aren't enough.


What I Found When I Got In There

When I reviewed their Microsoft 365 tenant, the picture became clear fast.

They had done the basics. Two-factor authentication was on. They had an SPF record. On paper, it looked like they were covered.

But here's what was missing:

  • Microsoft Defender for Office 365 had never been enabled

  • DKIM was not configured

  • DMARC didn't exist

  • Their SPF record wasn't being enforced properly

  • No impersonation or phishing policies were active

  • Logins were open to the entire world. Anyone, anywhere could attempt access

They had the right tools sitting right there inside Microsoft 365. They just had never been set up.


That's not a user error. That's a setup gap that most IT providers and managed service providers don't catch or don't prioritize.


Here's Exactly What I Did to Fix It


1. Enabled Microsoft Defender for Office 365 Plan 1

This is the foundation. It activated phishing protection, safe link scanning, malware detection, and impersonation alerts across their entire tenant.


2. Set Up DKIM and DMARC From Scratch

I added the correct DNS records and enabled domain signing. This tells the receiving mail server: this email actually came from us. Without it, anyone can forge your domain.


3. Fixed and Enforced Their SPF Record

Their SPF existed but wasn't enforcing anything. I updated it to align with Microsoft's best practices and set it to actually reject unauthorized senders.


4. Built Impersonation Protection Policies

I created policies to protect their core mailboxes: info@, billing@, and the managing partner. Then turned on Mailbox Intelligence. This uses AI to learn how your team actually communicates, so it can flag anything that doesn't fit the pattern.


5. Activated a 90-Day Microsoft Defender Plan 2 Trial

This gave them access to real-time threat detection, automated investigation, and attack simulation training. A great way to see where the gaps are before you commit to a plan.


6. Locked Down Login Access by Country

I restricted account access to the United States only. If someone tries to log in from outside the country, they're blocked. It's one of the simplest and most effective protections available. And almost no one has it turned on.


What Is Mailbox Intelligence and Why Does It Matter?

Mailbox Intelligence is part of Microsoft Defender's impersonation protection, and it's one of the more underrated features in the Microsoft 365 security stack.


It uses machine learning to study how people in your organization communicate: who they email, how often, what patterns exist. When an attacker tries to mimic someone inside your firm, the system can catch it based on behavior, not just display names.


That matters because advanced impersonation attacks don't always look wrong on the surface. Mailbox Intelligence goes deeper than a basic filter.


SPF, DKIM, and DMARC — Why All Three Matter

These three work as a team. If even one is missing, there's a gap.

SPF tells the world which mail servers are authorized to send email for your domain.

DKIM adds a digital signature to every outgoing email so the recipient can verify it actually came from you.

DMARC tells receiving servers what to do when a message fails SPF or DKIM checks: whether to quarantine it, reject it, or let it through.


When all three are in place and aligned, spoofed emails pretending to come from your domain get blocked before they ever reach someone's inbox.

When even one is missing, like this firm had, attackers can exploit the gap.


Microsoft 365 Is Not Secure by Default

This is the part that catches most business owners off guard. Microsoft gives you the tools. But nobody turns them on for you.


The expectation is that your IT provider or someone like me will configure them properly.

If your Microsoft 365 was set up by a generalist, or through a reseller who just spun up the licenses and walked away, there's a real chance these protections are sitting there unused.


I Work With Law Firms and Small Businesses Across the Mid-Atlantic

If you're a small law firm, solo practice, or professional services business in Columbia, MD, Northern Virginia, Washington DC, Pennsylvania, West Virginia, or Delaware, this is something we should look at together.


I work with businesses of all sizes, from a one-person practice to teams of fifty. The audit is straightforward. The fixes are practical. And the peace of mind is worth it.


My Microsoft 365 security services include:

  • SPF, DKIM, and DMARC configuration

  • Microsoft Defender setup and policy management

  • Mailbox Intelligence and impersonation protection

  • Country-based login restrictions

  • Defender Plan 2 trial activation and support

  • Ongoing monitoring and practical user support


Getting Microsoft 365 email security right for law firms doesn't have to be complicated. It just has to be done.


Frequently Asked Questions: Microsoft 365 Email Security for Law Firms

Is Microsoft 365 secure out of the box for a law firm?

Not fully. Microsoft provides powerful security tools, but most of them need to be manually configured. Default settings leave significant gaps, especially around email authentication and impersonation protection.


What is email spoofing and how does it happen?

Email spoofing is when an attacker sends an email that appears to come from your domain without actually having access to your account. It happens when SPF, DKIM, and DMARC are missing or misconfigured, leaving your domain open to impersonation.


Do I need Microsoft Defender if I already have two-factor authentication?

Yes. Two-factor authentication protects your login. Microsoft Defender protects your email flow, including threats that never touch your login at all, like spoofing and phishing. They solve different problems.


How do I know if my law firm's Microsoft 365 is properly configured?

The honest answer is: you probably don't, unless someone specifically audited it. Most of these settings aren't visible in day-to-day use. An email security audit will show you exactly what's in place and what isn't.


What is DMARC and does my law firm need it?

DMARC is an email authentication policy that tells receiving servers how to handle emails that fail SPF or DKIM checks. Without it, even a strong SPF record can't fully protect you. Yes, every law firm using a custom domain should have DMARC configured.


Can attackers spoof my email without hacking my account?

Yes. That's what makes email spoofing particularly dangerous. Your account can be completely untouched while your domain is being used to send fraudulent emails to clients. SPF, DKIM, and DMARC are the protections that stop this.


How long does it take to secure a Microsoft 365 environment?

For most small law firms, the core configuration, including Defender, DKIM, DMARC, SPF, and login restrictions, can be completed in a single session. More complex environments may take longer depending on what's already in place.


Do you work with law firms outside of Maryland?

Yes. I work with small and mid-sized law firms and professional services businesses throughout Northern Virginia, Washington DC, Pennsylvania, West Virginia, and Delaware in addition to Maryland.


Ready to Check Your Setup?

If you're not sure whether your Microsoft 365 environment is protecting your clients the way it should be, let's take a look.


I offer straightforward audits with clear, actionable recommendations. No jargon, no upsell pressure.


Based in Columbia, MD, serving law firms and small businesses across the DMV, Northern Virginia, Maryland, Pennsylvania, West Virginia, and Delaware.


Comments

bottom of page