Email Security for Law Firms: A Complete Guide to Protecting Client Communications

Law firms move money, hold secrets, and maintain relationships built on trust. That combination makes them a priority target for attackers running business email compromise (BEC) schemes. The FBI's IC3 2023 Annual Report (released 2024) documented over $2.9 billion in BEC losses—and legal services consistently rank among the top three sectors targeted by wire fraud attacks.

The mechanics are straightforward: an attacker compromises or spoofs a partner's email, inserts into an active real estate closing or M&A deal, and redirects a wire transfer. The client sends $2.4 million to a fraudulent account. By the time the error surfaces, the funds are gone. This scenario plays out regularly across firms of every size.

What makes law firms uniquely vulnerable isn't negligence—it's the nature of legal practice. High-value transactions close on tight timelines. Partners have authority to instruct wire transfers. Clients follow emailed instructions without independent verification. Email chains extend across opposing counsel, title companies, escrow agents, and clients—each a potential entry point.

This guide covers the complete email security stack a law firm needs: authentication protocols, Microsoft 365 hardening, encryption controls, phishing defense, and archiving requirements. It's written for managing partners and IT decision-makers who need to understand both the technical requirements and the ethical obligations.

---

Why Law Firms Are Prime BEC Targets

Three factors make legal email unusually attractive to attackers.

Wire transfer authority at scale. Real estate closings, M&A transactions, litigation settlements, and escrow disbursements all flow through attorney trust accounts. A single compromised email thread can redirect a seven-figure wire. Unlike targeting an accounts payable clerk, compromising a partner email gives attackers plausible authority to instruct large transfers with minimal scrutiny.

Privileged information with resale value. Attorney-client communications contain material nonpublic information in M&A matters, litigation strategy that opposing parties would pay to obtain, trade secrets in IP disputes, and personal financial details in family law. Nation-state actors and corporate espionage operations target firm email specifically for intelligence, not just immediate financial gain.

Trust architecture that attackers exploit. Legal relationships run on trusted communication. Clients follow emailed instructions from their attorneys. Opposing counsel accept word from lawyers they've worked with for years. This trust is a professional asset—and a structural vulnerability. Attackers exploit it by spoofing or compromising accounts to issue fraudulent instructions that look legitimate precisely because they come from a trusted channel.

The insider threat multiplier. Law firms have high attorney turnover, extensive use of contract attorneys, and legacy systems maintained for decades. Former employees with lingering access, weak offboarding procedures, and unmonitored service accounts create attack surface that purely technical firms don't face.

The 2022 ABA TechReport found that 27% of law firms had experienced a security breach. Smaller firms (under 10 attorneys) reported breach rates comparable to larger firms—attackers don't discount solo practitioners when the client matters involve high-value transactions.

---

ABA Ethical Obligations for Email Security

Email security isn't optional for law firms—it's an ethical requirement.

Model Rule 1.6: Confidentiality of Information requires lawyers to make reasonable efforts to prevent unauthorized disclosure or access to client information. Comment 18 to Rule 1.6 explicitly addresses electronic communications: lawyers must consider the sensitivity of the information, the likelihood that it will be intercepted, and the potential adverse consequences if intercepted.

ABA Formal Opinion 477R (2017) updated guidance on the duty of confidentiality for electronic communications. It acknowledged that unencrypted email is generally acceptable for most communications but created higher obligations for highly sensitive matters. Specifically, the opinion states that lawyers must "apply a reasonable degree of care" to electronic communications and must consider whether a particular communication warrants enhanced security measures—including encryption—based on the nature and sensitivity of the content.

State bar opinions have gone further. The New York State Bar Association has issued guidance requiring reasonable security measures for cloud-stored client data, which extends to hosted email. The California Bar's cybersecurity guidelines explicitly reference email authentication controls. Several state bars have issued ethics opinions finding that failure to implement basic security controls violates competence obligations under Rule 1.1 (Competence) in addition to Rule 1.6.

Practical implication: if your firm suffers a breach because you hadn't implemented controls that are broadly considered baseline—DMARC, MFA, encrypted transmission—the question in a bar complaint or malpractice claim will be why you hadn't. "We didn't know about it" is not a defense when ABA Formal Opinion 477R has been available since 2017.

The standard is reasonable, not perfect. But reasonable in 2026 means MFA on every email account, DMARC at enforcement, encrypted transmission for sensitive matters, and documented security practices. These are achievable, not aspirational.

---

The Email Authentication Stack

Email authentication prevents your domain from being spoofed. Without it, any attacker can send email that appears to come from partner@yourfirm.com with no technical barrier. Authentication doesn't prevent compromised accounts—it prevents impersonation of your domain from external infrastructure.

The stack has four layers. Implement them in order.

Layer 1: SPF (Sender Policy Framework)

SPF publishes a DNS record identifying which mail servers are authorized to send email for your domain. Receiving servers check whether the sending IP is in that list.

v=spf1 include:spf.protection.outlook.com -all

For an M365-only environment, this record is minimal. The -all (hard fail) tells receiving servers to reject mail from unauthorized sources. Use this, not ~all (soft fail), which only marks messages as suspicious.

Common mistake: adding too many include: statements. SPF has a 10 DNS lookup limit. Exceed it and SPF fails silently. If your firm uses M365 plus marketing email, plus a CRM, plus a client portal—audit each sender before adding them to SPF.

Layer 2: DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outbound messages. The receiving server retrieves your public key from DNS and verifies the signature. This confirms two things: the message originated from infrastructure you control, and the message content wasn't modified in transit.

In M365, enable DKIM signing in the Exchange Admin Center under Email Authentication. Microsoft generates a 2048-bit key pair and provides CNAME records to add to your DNS:

selector1._domainkey.yourfirm.com CNAME selector1-yourfirm-com._domainkey.yourfirm.onmicrosoft.com
selector2._domainkey.yourfirm.com CNAME selector2-yourfirm-com._domainkey.yourfirm.onmicrosoft.com

Any third-party sender—your practice management software, client intake system, newsletter platform—needs its own DKIM configuration. Each should sign with your domain or use a subdomain.

Layer 3: DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together with a policy and adds reporting. It tells receiving servers what to do with messages that fail authentication, and instructs them to send you reports about what's happening with your domain.

Start in monitoring mode to identify all your legitimate senders before enforcing:

_dmarc.yourfirm.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourfirm.com; fo=1"

After 2-4 weeks of reports, you'll see every source sending mail as your domain. Configure authentication for legitimate senders, then move to enforcement:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourfirm.com; fo=1

p=reject means receiving servers bounce messages that fail authentication. Spoofed emails impersonating your domain are blocked globally. This is the target state for every law firm.

Aggregate reports arrive as XML. Use a DMARC reporting platform—dmarcian, Valimail, or PlatOps managed DMARC—rather than parsing XML files manually.

Layer 4: MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS enforces TLS encryption for email transport between mail servers. Without it, a network attacker can downgrade connections and intercept mail in transit—a man-in-the-middle attack on your email infrastructure.

MTA-STS requires two components: a policy file hosted at https://mta-sts.yourfirm.com/.well-known/mta-sts.txt and a DNS TXT record at _mta-sts.yourfirm.com. The policy file specifies that receiving servers must use TLS when accepting mail for your domain.

For M365, Microsoft's infrastructure supports TLS by default. MTA-STS ensures that senders to your domain cannot negotiate an unencrypted connection even if an attacker interferes with the connection negotiation.

These four layers together establish that (1) only authorized servers send as your domain, (2) messages are signed and verified, (3) unauthenticated messages are rejected, and (4) transport is encrypted. This is the authentication baseline every law firm should be operating at.

---

Microsoft 365 Security Hardening

Most law firms run M365. The default configuration is not adequate for legal practice. These are the controls that matter.

Multifactor Authentication (MFA)

MFA is non-negotiable. Password-only email accounts will eventually be compromised through credential stuffing, phishing, or breach of a reused password. MFA stops most account takeovers.

Require MFA for every account without exception—partners, associates, staff, and service accounts. Microsoft Authenticator with number matching (not SMS) is the minimum standard. FIDO2 hardware keys (YubiKey) are preferable for high-privilege accounts.

Conditional Access policies in Azure AD (now Entra ID) enforce MFA requirements and can add location-based and device compliance conditions. At minimum, configure:

• Require MFA for all users
• Block legacy authentication protocols (IMAP, POP3, SMTP AUTH)—these bypass MFA entirely
• Require compliant device for access from unmanaged devices

Blocking legacy protocols is critical. Attackers specifically target IMAP access on M365 accounts because it bypasses MFA. If attorneys need access from email clients that don't support modern authentication, update the clients.

Conditional Access Policies

Beyond MFA, Conditional Access can enforce:

• Named location policies (flag logins from unexpected countries)
• Sign-in risk policies (trigger step-up authentication on suspicious logins)
• Session controls (require re-authentication after inactivity)
• App-enforced restrictions (prevent download of sensitive email attachments on unmanaged devices)

For firms handling matters with international clients, configure location policies carefully to avoid lockouts. But a login from a country where no one in the firm operates should trigger immediate review.

Audit Logging

Enable Unified Audit Logging in the Microsoft Purview compliance portal. Default M365 audit log retention is 180 days for E3/E5 licenses (extended from 90 days in late 2023). While improved, that's still limited for incident response in long-running matters—you need sufficient log history to reconstruct what happened.

Extend retention to at least 180 days for E3 licenses; use a SIEM or log export for longer retention. Critical audit events to monitor:

• Mailbox forwarding rules created (common persistence mechanism—attacker creates a rule forwarding all email to external address)
• Inbox rules created with delete actions (attacker hides responses to phishing emails)
• Logins from new countries or IP ranges
• Mass email download or export operations
• Permission changes on shared mailboxes

Automated alerts for forwarding rule creation should be configured immediately. This is one of the most common persistence techniques in BEC attacks and is trivial to detect if you're monitoring for it.

Defender for Office 365

Microsoft Defender for Office 365 (Plan 2, included in M365 E5 or available as an add-on) adds:

• Safe Links: rewrites URLs in email and performs real-time reputation checks at click time
• Safe Attachments: detonates attachments in a sandbox before delivery
• Anti-phishing policies with impersonation protection
• Attack simulation training

Anti-phishing impersonation protection is particularly relevant for law firms. Configure it to protect all partner email addresses and your firm's domain. It detects cases where an attacker sends from a lookalike domain (yourfirm-legal.com instead of yourfirm.com) or spoofs a partner's display name.

---

Email Encryption for Attorney-Client Privilege

ABA Formal Opinion 477R identifies certain categories of communication—matters involving security, trade secrets, or highly sensitive personal information—where standard email isn't adequate and encryption is required.

Transport-Level Encryption: TLS

TLS encrypts the connection between mail servers (and between mail clients and servers). M365 uses TLS by default. The issue is opportunistic TLS: if the receiving server doesn't support TLS, the connection falls back to unencrypted. MTA-STS (described above) prevents this downgrade for inbound mail.

For outbound mail to specific domains, M365 allows connector-level TLS enforcement. If you regularly exchange sensitive documents with a financial institution or title company that supports TLS, configure a mandatory TLS connector to that domain.

Message-Level Encryption: Microsoft Purview Message Encryption

For sensitive client communications, message-level encryption is appropriate. Microsoft Purview Message Encryption (formerly OME) allows attorneys to send encrypted email that recipients open through a web portal or by authenticating with a Microsoft or Google account. No client-side certificate management is required.

Configure sensitivity labels in Microsoft Purview to automatically encrypt messages that contain defined sensitive content—Social Security numbers, account numbers, attorney-client privilege markers. Attorneys can also manually apply encryption before sending.

S/MIME for Cross-Firm Communication

S/MIME provides end-to-end encryption and digital signatures using public key infrastructure. Both sender and recipient need certificates. This creates friction—certificate management, distribution of public keys, client compatibility—that limits its practical use to specific high-trust relationships.

For firms that regularly exchange sensitive documents with other law firms, corporate legal departments, or government agencies that operate S/MIME infrastructure, it's worth implementing. For general client communication, Microsoft Purview Message Encryption is more practical.

Rights Management

Microsoft Purview Information Protection (formerly Azure Information Protection) applies persistent rights management policies to documents and emails—restrictions that travel with the content. A document labeled "Privileged and Confidential" can be configured to prevent forwarding, printing, or saving to unmanaged devices. Rights management is appropriate for highly sensitive matters where you need control beyond the initial send.

---

Phishing Protection and Legal-Specific Training

Technical controls reduce attack surface; training addresses the gap that technology can't fully close. The human element in BEC attacks is deliberate—attackers invest in social engineering because it works.

Legal-Specific Phishing Scenarios

Generic security awareness training isn't adequate. Attorneys need to recognize attacks that are tailored to legal practice:

• Wire instruction changes: A closing attorney receives an email from "title company" with revised wiring instructions one hour before closing. The email looks legitimate. The domain is titleco-llc.com instead of titlecollc.com. This is the most common BEC attack against law firms.

• Opposing counsel spoofing: An email appearing to come from opposing counsel proposes last-minute settlement terms and includes a DocuSign link for "immediate signature." The DocuSign link harvests credentials.

• Client impersonation: An email from a client's personal account (compromised) instructs the firm to release escrow funds to a new account. The client's business email was breached; attackers are now working the attorney relationship.

• Partner account takeover: An attacker with access to a partner's email sends instructions to accounting to process an urgent wire for a matter. The email is legitimate—sent from the compromised account. No spoofing involved.

Run simulated phishing exercises quarterly using legal-specific scenarios, not generic IT security templates. Track click rates by practice group and repeat testing on high-risk individuals.

Process Controls That Override Email

The most effective defense against wire fraud is a call-back verification procedure that's documented, mandatory, and not optional based on time pressure:

1. Any wire instruction received by email must be verified by phone call to a previously known number—not a number provided in the email
2. Any change to payment instructions triggers mandatory verification regardless of apparent sender
3. Attorneys and staff are authorized and expected to delay a closing to complete verification

This procedure needs explicit support from firm leadership. The culture pressure in real estate closings is to expedite, not slow down. Attorneys need permission—and instruction—to invoke verification procedures even when clients are waiting and counterparties are frustrated.

Document the procedure in your firm's written information security policy and include it in engagement letters for matters involving fund disbursement. This creates a record of due diligence if a client later claims the firm should have prevented a fraud.

---

Email Archiving and Retention

Law firms have legal hold, e-discovery, and regulatory obligations that require email retention beyond standard mailbox management.

Retention Requirements

State bar rules on client file retention vary—most require retention of client files for 5-7 years after matter closing, with longer requirements in specific practice areas. Matter-related email is part of the client file. M365 Retention Policies in Microsoft Purview can enforce minimum retention periods and prevent deletion of matter-related communications.

Configure retention policies to:

• Preserve all email for a minimum retention period (consult your state bar and malpractice carrier)
• Apply longer retention to email in specific SharePoint sites or mailboxes tied to open matters
• Prevent attorney deletion of email that may be subject to litigation hold

Litigation Hold

When litigation is reasonably anticipated, the duty to preserve electronically stored information applies to your firm's own email as well as client documents. M365 eDiscovery and In-Place Hold allows you to place a litigation hold on specific mailboxes, preventing deletion of responsive communications regardless of retention policy settings.

The failure to preserve is spoliation. Make sure your litigation hold procedure includes firm email as a preservation target, not just client-provided documents.

M365 Archive Mailboxes

Enable auto-expanding archive mailboxes for all attorney accounts. This prevents primary mailbox size limits from causing email loss and ensures complete historical records are available for e-discovery. Archive mailboxes are included in M365 E3 and higher.

Third-Party Archiving

For firms with complex e-discovery requirements, dedicated legal hold and archiving platforms (Hanzo, Smarsh, Global Relay) offer more granular control than M365 native tools. They provide immutable audit trails, custodian-level hold management, and integration with e-discovery review platforms like Relativity.

For most small and mid-sized firms, M365 native archiving with properly configured retention policies and litigation hold procedures is sufficient.

---

90-Day Implementation Roadmap

This sequence minimizes disruption while building the security stack systematically.

Days 1-30: Foundation and Visibility

Priority	Action	Owner
Critical	Enable MFA for all accounts	IT / M365 Admin
Critical	Block legacy authentication protocols	IT / M365 Admin
Critical	Enable Unified Audit Logging with 180-day retention	IT / M365 Admin
High	Deploy DMARC at p=none and begin collecting reports	IT / DNS Admin
High	Enable DKIM signing in M365 Exchange Admin Center	IT / M365 Admin
High	Audit SPF record accuracy	IT / DNS Admin
High	Enable mailbox forwarding rule alerts	IT / M365 Admin

The first 30 days focus on MFA and audit logging—the controls that stop the most common attacks and provide the visibility to detect incidents. DMARC goes live in monitoring mode so you can see your complete email landscape before enforcing policy.

Days 31-60: Authentication Enforcement and Hardening

Priority	Action	Owner
Critical	Analyze DMARC reports, remediate unauthorized senders	IT / DNS Admin
Critical	Move DMARC to p=quarantine	IT / DNS Admin
High	Configure Conditional Access: location and device policies	IT / M365 Admin
High	Enable MTA-STS	IT / DNS Admin
High	Configure Microsoft Defender anti-phishing policies	IT / M365 Admin
High	Enable Safe Links and Safe Attachments	IT / M365 Admin
Medium	Configure Microsoft Purview Message Encryption	IT / M365 Admin
Medium	Document wire transfer verification procedure	Managing Partner / Office Manager

Days 61-90: Full Enforcement and Training

Priority	Action	Owner
Critical	Move DMARC to p=reject	IT / DNS Admin
High	Configure M365 retention policies per state bar requirements	IT / M365 Admin
High	Enable auto-expanding archive mailboxes	IT / M365 Admin
High	Run first phishing simulation with legal-specific scenarios	IT / Security
High	Conduct wire fraud prevention training for all attorneys and staff	Managing Partner / IT
Medium	Document security controls in written information security policy	Managing Partner
Medium	Review engagement letter language for fund disbursement matters	Managing Partner

By day 90, you have authentication enforcement preventing domain spoofing, MFA blocking account takeover, behavioral monitoring detecting anomalies, encrypted transport for sensitive communications, compliant archiving, and trained staff who recognize legal-specific attacks.

This isn't a one-time project. DMARC requires ongoing monitoring as you add senders. Conditional Access policies need review when firm structure changes. Phishing simulations should run quarterly. Add these to your annual security review calendar.

---

Putting It Together

Law firm email security has three distinct purposes: authentication that prevents your domain from being impersonated, access controls that prevent your accounts from being compromised, and process controls that prevent human error from completing an attack that gets through the technical stack.

No single control is sufficient. DMARC at p=reject doesn't stop a compromised account. MFA doesn't stop a wire fraud attack where the attorney's account is legitimate but the instructions are social engineering. The wire transfer verification procedure catches attacks that bypass every technical control.

The combination—authentication, hardened M365, encrypted transmission, behavioral monitoring, and trained staff with documented procedures—provides defense in depth appropriate for the threat environment law firms operate in. The ABA's guidance on competence and confidentiality reflects an expectation that firms will maintain this kind of layered approach.

If your firm doesn't have DMARC at enforcement, MFA blocking legacy authentication, and audit logging enabled today, those are the starting points. Each of them closes a significant attack surface with relatively low implementation friction.

---

PlatOps provides managed email security services built for professional services firms, including DMARC management, advanced email threat protection, and M365 security hardening. Our email security packages are available as standalone products—no long-term contract required.

View email security products and pricing to see options appropriate for your firm size and risk profile, or contact us to discuss your specific requirements.