Back to Insights
Security

How a Phone Call Became a Malware Infection at a Law Firm

A real-world look at a social engineering campaign targeting professional services firms — and what it takes to stop it.

Prepared by DP3  ·  Published April 2026

Table of Contents
  1. The 30-Second Summary
  2. Why Law Firms
  3. The Attack Pattern
  4. Why It’s Hard to Stop
  5. What Stops It
  6. If You’ve Been Hit
  7. How DP3 Helps
Share

A caller posing as a prospective client calls a law firm’s intake line and describes a car accident. A few minutes later, an email arrives with a link to “the police report.” A staff member, already expecting the file, clicks the link, opens the attachment, and double-clicks what looks like a Word document.

It isn’t a Word document. It’s malware — and the attacker now has a foothold inside the firm.

DP3 has now responded to this exact playbook more than once in recent months. The targets have been law firms. The pattern is identical every time. This case study explains how the attack works, why it keeps succeeding, and what firms can do to prevent it.

Why Law Firms Are Being Targeted

Law firms are high-value targets for a simple reason: the data on their workstations is sensitive, time-pressured, and valuable. Case files, client communications, settlement information, medical records, and financial data all live in the same environment. A single compromised workstation can expose an entire practice area.

Attackers also know that intake teams at law firms are paid to be responsive. A prospective client calling about an accident, a contract dispute, or an estate matter is exactly the kind of contact the firm wants to receive. That responsiveness is the exact trait the attacker is exploiting.

The Attack Pattern, Step by Step

Step 1: The Vishing Call

The attack begins with a phone call, not an email. This is deliberate. A voice on the other end of the line is far more persuasive than a cold email, and it establishes context that makes everything that follows feel legitimate.

The caller identifies himself as a prospective client. He describes a motor vehicle accident in plausible detail and tells the intake person he will be sending over a police report, accident photos, or proof of insurance. The conversation is brief, polite, and unremarkable.

What Is Vishing?

Vishing — voice phishing — is a social engineering technique where an attacker uses a phone call to manipulate a target. Its only purpose here is to prime the target to expect a file and to trust it when it arrives.

Step 2: The Email and the Cloud Link

Minutes later, an email arrives referencing the phone call. The subject line is something ordinary: “Police Report,” “Car accident documents,” or similar.

The email does not contain a malicious attachment. Instead, it contains a link to a legitimate cloud storage service — most commonly Microsoft OneDrive personal storage. Because the link points to a real Microsoft domain, it passes SPF, DKIM, and DMARC checks, and it typically bypasses email security filters that are looking for malicious attachments or suspicious domains.

The sender address is usually a free consumer mailbox (outlook.com, gmail.com) and sometimes uses subtle misspellings of common names to look familiar at a glance.

Step 3: The Disk Image Trick

The cloud link downloads a ZIP archive. Inside the ZIP is an .img file — a disk image. This is the most important technical detail of the entire attack.

Why Disk Images Are Dangerous

When a user double-clicks an .img file on a modern Windows computer, Windows mounts it as a virtual drive — the same way it would mount a DVD or USB stick. A new drive letter appears in File Explorer. Inside that drive, the user sees what looks like a normal folder of files: a few accident photos, a PDF of insurance paperwork, and a document named something like Accident_Report.exe or Accident_Report.scr.

Disk images bypass the “Mark of the Web” — the Windows security flag that would normally warn the user before running a file downloaded from the internet. Files inside a mounted .img are treated as if they came from local media, and no warning is shown.

Step 4: The Signed Executable

The executable inside the disk image is not, strictly speaking, malware. It is a legitimate, signed application — typically a real PDF reader or similar utility that has been renamed. Because it carries a valid digital signature from a legitimate software publisher, many antivirus tools treat it as trusted.

Sitting next to the executable in the disk image is a malicious DLL file with a name the executable is designed to load at startup. When the user double-clicks the renamed executable, Windows loads the malicious DLL alongside it. This technique is called DLL sideloading, and it is one of the most effective ways attackers smuggle code past endpoint defenses.

At this point, the attacker’s code is running inside a trusted process, on the user’s workstation, with the user’s permissions.

Step 5: Command and Control

Once the malicious DLL executes, it reaches out to a remote server under the attacker’s control. From that moment forward, the attacker has hands-on-keyboard access to the workstation.

What happens next varies. We have seen variants of this campaign:

  • Establish persistence through Windows Run keys and scheduled tasks so the malware survives a reboot
  • Download additional payloads, including remote access tools and credential stealers
  • Pivot to other systems on the network
  • Stage data for exfiltration

Time Is Everything

If the attack is not caught within minutes, it escalates quickly.

What Makes This Attack Hard to Stop

Several design choices make this campaign particularly effective:

It uses real, trusted infrastructure for delivery.

The payload is hosted on Microsoft’s own OneDrive service. The delivery email comes from a genuine Outlook.com or Gmail account. Neither can be blocked outright without disrupting legitimate business.

It uses a signed, legitimate executable as the entry point.

Antivirus tools are reluctant to quarantine signed binaries from known publishers. The malicious component is the sideloaded DLL, which is often flagged only after the execution has already begun.

It arrives already trusted.

By the time the file lands in the inbox, a human has already spoken to the sender on the phone. The usual instincts — “is this email suspicious?” — have been short-circuited.

It targets a specific role.

Intake staff are the frontline at professional services firms. They are trained to be helpful and responsive, not skeptical.

What Stops It

No single control stops this attack. A layered defense is required. Based on what we have seen work in production environments, here are the controls that matter most, ranked roughly in order of impact.

1. Managed Detection and Response (MDR) with Automated Host Isolation

This is the single most important control. When the attack chain executes, the window between malware launch and meaningful damage is measured in minutes. A human-monitored MDR platform that can automatically isolate a compromised host from the network the moment suspicious behavior is detected turns a potential breach into a contained incident.

What We've Seen in Practice

In the cases DP3 has responded to, automated isolation fired within minutes of execution and prevented lateral movement every time.

2. Application Control (AppLocker or Equivalent)

Application control policies prevent unauthorized executables from running at all — regardless of whether a user double-clicks them. A well-designed policy blocks execution from:

  • User-writable locations (Downloads, Desktop, Temp, AppData)
  • Removable media
  • Mounted disk images (the exact vector this attack relies on)

Application control would have stopped this attack cold, before any malicious code ever ran. Implementation requires careful scoping against the firm’s line-of-business applications, but the payoff is significant.

3. Block Disk Image Files at the Perimeter and Endpoint

Most law firms have no legitimate business need to receive .iso, .img, or .vhd files by email or download them from the internet. Blocking these file types at the email gateway and via endpoint controls eliminates an entire class of attack with almost no operational impact.

4. Microsoft Defender Attack Surface Reduction (ASR) Rules

Defender includes a set of ASR rules that specifically target the behaviors used in this campaign, including blocking executable content from email and webmail, blocking untrusted and unsigned processes that run from USB, and blocking Office applications from creating child processes. Enabling these rules in block mode — not just audit mode — is free and high-impact.

5. Email Filtering for Consumer Cloud Storage Links

Inbound email containing links to personal OneDrive, personal Google Drive, Dropbox, and similar consumer cloud storage services from unverified senders should be quarantined or flagged for review. Legitimate clients rarely need to share files this way, and dedicated secure file transfer is a better option when they do.

6. A Secure Client Intake Portal

Address the Root Cause

This is the preventive measure that addresses the root cause. Rather than accepting files by email from unknown prospective clients, firms should route all prospective client submissions through a secure intake form on the firm’s website.

A properly designed intake portal:

  • Restricts uploads to safe file types only (PDF, JPG, PNG)
  • Rejects executables, scripts, disk images, and archives outright
  • Scans every upload with a modern malware engine
  • Logs submission IP addresses for audit
  • Uses CAPTCHA and rate limiting to deter automated abuse

A secure intake portal removes email as the channel for receiving files from strangers — and when you remove the channel, the attack goes away.

7. Security Awareness Training That Covers Vishing

Most phishing training focuses on suspicious emails. This campaign succeeds because the email arrives after the user has already been primed by a phone call. For a broader view of the security controls every firm should have in place, see our IT and security checklist. Training needs to address:

  • How vishing works and why it’s effective
  • That .img, .iso, .zip, and other archive or disk-image formats can contain hidden executables
  • That a phone call does not verify a sender’s identity
  • How to verify the legitimacy of a prospective client before opening any file
  • Why forwarding suspicious emails internally expands the blast radius
  • How to report a suspected incident quickly

8. Conditional Access and Modern Authentication

If credentials are harvested during an incident, Conditional Access policies limit what an attacker can do with them. Enforcing multi-factor authentication on all accounts, blocking legacy authentication protocols, and restricting sign-ins from unexpected locations or unmanaged devices are all essential security baselines.

9. Least Privilege on Workstations

Users should not be local administrators on their own machines. Removing local admin rights dramatically reduces what malware can do after initial execution and is a prerequisite for most of the controls above to be fully effective.

What to Do If You Think You’ve Been Hit

If a user at your firm has just clicked a suspicious link, mounted a disk image, or run an unfamiliar executable, treat it as an incident immediately. The right sequence:

  1. Disconnect the workstation from the network. Pull the Ethernet cable or disable Wi-Fi. Do not power it off — volatile evidence is useful for investigation.
  2. Contact your IT or MSP provider. The faster a responder can engage, the smaller the incident.
  3. Reset the user’s password and revoke active sessions across Microsoft 365 and any other critical services.
  4. Preserve the original phishing email. Do not delete it. Your responders will need it for header analysis and threat intelligence.
  5. Do not reply to or re-engage the sender. Do not click any additional links or open any additional files, even to “investigate.”
  6. Notify cyber insurance, if applicable. Most policies have tight notification windows.

Speed Matters

An incident contained in the first 30 minutes looks very different from one discovered the next day.

How DP3 Helps

DP3 is a managed services provider focused on law firms and professional services organizations. The layered defenses described above are not theoretical for us — they are the controls we deploy, monitor, and maintain for our clients every day.

If your firm would like a review of how your current environment would hold up against this kind of attack, we would be glad to help.

Contact us to schedule a review

Phone

312-896-2450

Schedule

Contact page →
Schedule a Security Review

This case study is based on real incidents DP3 has investigated. All firm names, user names, host names, and specific indicators of compromise have been omitted. Technical details reflect the attack pattern as observed across multiple engagements.