Why Accounting and Legal Firms Are the Perfect Target

If you were designing the ideal target for a financially motivated cybercriminal, you would probably design something that looked a lot like an Australian accounting or legal firm.

High-value data. Trusted relationships with multiple other businesses. Deadline pressure that makes staff more likely to click without thinking. Technology environments that are often years behind where they should be. And a professional culture where confidentiality norms make people reluctant to report something that might reflect badly on the firm.

This is not speculation. It is a pattern I have seen repeatedly in incident response investigations, and it is reflected in the threat intelligence data that comes through our SOC. Professional services firms are being targeted deliberately and systematically, and most of them are not prepared for the level of attention they are receiving.

The Data Is the Whole Point

Accounting firms hold tax file numbers, payroll data, financial statements, bank account details, trust account records, and detailed knowledge of client business structures. Legal firms hold executed contracts, litigation strategy, M&A due diligence materials, property transaction records, and communications protected by legal privilege.

This information has direct monetary value. Bank account details and financial credentials can be monetised immediately. Tax file numbers and identity documents feed identity fraud operations. M&A materials and litigation strategy have value to corporate espionage actors. Trust account details are a direct path to large fund transfers.

Beyond the intrinsic value of the data, professional services firms are also useful as a stepping stone. If an attacker compromises a firm that manages the accounts of 200 businesses, they have not just compromised one organisation. They have a foothold with direct communication channels, existing trusted relationships, and access to client financial systems in many cases. Business email compromise attacks launched from a legitimate accounting firm email account have a much higher success rate than the same attack launched from a random domain.

Your client relationships are the asset attackers are really after. Your systems are just the way in.

The Environmental Factors That Make It Easier

Understanding why the data is valuable explains the motivation. Understanding the environmental factors explains why the attacks succeed.

Legacy technology and deferred investment. Professional services firms, particularly smaller practices, have historically underinvested in technology relative to their revenue. Systems that should have been replaced or hardened years ago are still running. Patch cycles are irregular. Security tooling is limited to whatever the IT provider installed at setup and has not been reviewed since.

Deadline culture. Tax lodgement deadlines, settlement dates, court filing dates. Professional services environments operate under genuine time pressure on a regular basis. Phishing attacks timed to arrive during busy periods, particularly end of financial year, are significantly more effective because staff are rushing, principals are distracted, and the volume of legitimate urgent emails provides cover.

Credential exposure from third-party breaches. The credentials your staff use at work are often the same ones they use elsewhere. When a third-party service is breached and credential dumps appear on dark web forums, professional services staff are in those dumps the same as everyone else. Attackers run those credentials against Microsoft 365, accounting platforms, and practice management systems automatically. Credential stuffing is not sophisticated. It is systematic and it works.

Trust as an attack surface. Accountants and lawyers communicate constantly with clients, referral partners, financial institutions, and regulatory bodies. The volume and variety of legitimate requests makes it harder to identify illegitimate ones. An email requesting urgent payment, asking for a document to be reviewed, or directing a change to bank account details looks, on the surface, like a normal business interaction. The trust that makes these professional relationships function is the same trust that makes business email compromise so effective.

Reluctance to report. When something goes wrong in a professional services firm, the instinct is often to contain it quietly. The reputational stakes feel high, particularly for firms whose value proposition is built on trust and competence. This means incidents go unreported to the right people for longer than they should, the response is delayed, and the window for containment closes. I have seen cases where a principal knew something was wrong for weeks before engaging an incident response team, by which point the damage was significantly worse than it needed to be.

What Attackers Actually Do

The attack patterns targeting professional services firms are not exotic. They are well-documented, frequently executed, and effective precisely because the defences are often not in place.

Phishing remains the primary initial access vector. Targeted phishing, where the attacker has done enough research to craft a message that references real colleagues, clients, or matters, is increasingly common. These emails are not generic. They are specific enough to pass a cursory review by a busy professional.

Once initial access is established, attackers move toward credential harvesting and session token theft. Modern attacks frequently bypass MFA not by defeating it technically, but by stealing the authenticated session token from the browser after MFA has already been completed. The attacker then replays that token and operates as the legitimate user. No second MFA prompt. No alert. This is how we see compromises persist for extended periods without triggering obvious alarms.

Business email compromise follows naturally from email account access. The attacker monitors communications, identifies upcoming transactions, and inserts themselves at the right moment with payment redirection instructions or fraudulent invoices. In accounting and legal environments, where six-figure transfers are a normal occurrence, the potential return on a single successful BEC is substantial.

Ransomware is typically the end state when attackers have decided to monetise through encryption rather than through long-term access and data theft. By the time ransomware deploys, the attacker has usually been in the environment for a significant period. The encryption event is not the beginning of the breach. It is the moment you find out about a breach that started long before.

What Actually Reduces the Risk

The good news is that the controls that address these risks are known, practical, and achievable for firms of any size.

Phishing-resistant MFA across all accounts eliminates the credential stuffing problem and significantly raises the bar for account compromise. FIDO2 hardware keys or Microsoft Authenticator in certificate-based mode are the standard to aim for. App-based MFA is better than nothing, but it remains vulnerable to adversary-in-the-middle attacks. The firms that have deployed phishing-resistant MFA are not seeing the same volume of successful initial access events.

Conditional access policies that restrict authentication to managed, compliant devices close the session token replay problem in most cases. If a stolen token is presented from an unmanaged device in an unexpected geography, the session should not be granted. This is a Microsoft 365 configuration problem, not an expensive one to solve, and it is one of the most effective controls available to Microsoft tenancies.

Application control prevents malicious payloads from executing even after they are delivered. If a staff member opens a malicious attachment or runs an installer from a phishing email, application control stops the payload before it does anything. Combined with macro settings configured correctly, this eliminates the majority of malware-based initial access attempts.

Security awareness training that goes beyond annual compliance tick-boxes, in particular training that includes simulated phishing and teaches staff to recognise the specific attack patterns targeting professional services firms, meaningfully reduces click rates over time. The firms that run consistent, realistic phishing simulations are the firms where staff start reporting suspicious emails rather than clicking them.

And visibility. If nobody is watching your environment continuously, you will not find out about a compromise until the attacker decides you should. Managed detection and response with continuous monitoring means someone is looking at what is happening in your environment at all times, not just when an alert happens to land in a ticketing queue during business hours.

The Risk Is Not Hypothetical

I am not writing this to generate alarm. I am writing it because the firms I speak to most often underestimate how specifically they are being targeted, and that underestimation translates directly into under-investment in controls that are genuinely achievable.

The question is not whether your firm is a target. It is whether the people targeting you are going to find it worth their time once they encounter what you have in place.

If you want a straight assessment of where your firm actually stands, get in touch. We do not dress it up and we do not oversell. You will get an honest picture of your current exposure and a practical plan to address it.