Respond

The court order that wasn't

A commercial litigator targeted by a sophisticated whale phishing attack carrying an undetected keylogger

Found in PDF attachment
Keylogger
Commercial scanners detected it
0
Content matched firm's current cases
Targeted

The situation

A boutique commercial litigation law firm received a suspicious email that appeared to be a court order. Aware of the prevalence of phishing attacks targeting law firms, they asked us for an opinion on the email. The goal was to determine the legitimacy of the email and assess potential risks to the firm’s sensitive information and financial assets.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Our examination of the email and the attached PDF document revealed:

  • The PDF contained a keylogger, a malicious tool designed to record and transmit the user’s keystrokes, potentially allowing unauthorised access to sensitive information
  • The court order was skilfully crafted to appear legitimate, with content tailored to the law firm’s current activities
  • The PDF had not yet been identified by any commercial virus scanners, highlighting the sophistication of the attack
  • The email metadata indicated a carefully constructed delivery mechanism designed to bypass the firm’s email security

How we responded

  1. Email and attachment analysis examining metadata, PDF structure, and embedded code
  2. Malware identification through specialised testing to identify the hidden keylogger and its capabilities
  3. Impact assessment determining whether the malware had been executed and whether any data had been compromised
  4. Remediation guidance providing the firm with specific steps to protect their systems and sensitive information

The outcome

We identified a well-executed phishing attack before it could cause damage. The forensic analysis gave the firm clear understanding of the threat and the specific measures needed to protect their sensitive information and financial assets.

The fact that no commercial virus scanner had detected the malware underscored that automated security tools alone are insufficient. Sophisticated attackers create custom malware specifically to evade detection.

Lessons for similar organisations

  • Court orders and legal documents are common phishing lures for law firms. Attackers research their targets and craft emails that match the firm’s current work. Verify unexpected court documents through official channels.
  • Commercial virus scanners do not catch everything. Sophisticated phishing attacks use custom malware designed to evade automated detection. If something feels suspicious, have it analysed by a specialist before opening.
  • Law firms handling significant financial matters are high-value targets. Trust accounts, settlement funds, and sensitive client information make litigation firms attractive to attackers.