Background
A regional law firm's finance team received a payment instruction from what appeared to be a senior partner's email account, directing a £240,000 client escrow payment to an alternative account. The payment was made before the instruction was queried.
The firm engaged Binary Response 18 hours after the payment was identified as potentially fraudulent. By that point, the funds had already moved through two intermediary accounts.
Investigation
Microsoft 365 forensics identified that the partner's account had been compromised 23 days prior via a targeted phishing email. The attacker had spent 22 days in the mailbox — reading correspondence, learning client names and transaction patterns, and waiting for the right payment to redirect.
A sophisticated inbox rule had been created to automatically forward and delete specific emails containing keywords associated with payment instructions, preventing the partner from seeing queries about the fraudulent transfer until it was too late.
Our investigation identified the full scope of email access — which client communications had been read, whether other payment diversions had been attempted, and whether any confidential client data had been exfiltrated. The answer to the last question was yes: approximately 340 client files had been accessed and potentially exfiltrated over the 23-day dwell period.
Breach Notification & ICO
This triggered GDPR notification obligations. We worked with the firm's data protection officer and external legal counsel to determine the notification scope, draft the ICO submission, and identify which data subjects required direct notification.
The ICO submission was filed within 72 hours of confirmed breach scope determination. The ICO's subsequent enquiries were managed by our team in conjunction with the firm's lawyers — the quality of our forensic documentation meant the ICO was satisfied with the response without requiring further investigation.
Insurance Claim
The firm held cyber and crime insurance. We produced a forensic evidence package specifically structured for the insurer's claims requirements, covering the timeline, access scope, and financial fraud evidence. The claim was accepted in full.
Outcome
- Full attack timeline reconstructed — entry to exfiltration to fraud
- Client data access scope determined — 340 files accessed, no further exfiltration identified beyond initial set
- ICO notification filed and closed without enforcement action
- Insurance claim accepted in full
- Post-incident: MFA enforced, conditional access policies deployed, ongoing M365 monitoring implemented
"The forensic report was the difference between an accepted claim and a dispute. Binary Response produced exactly what our insurer needed."
— Managing Partner