Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms

Description

From January through May 2026, a financially motivated data theft extortion campaign executed by threat cluster UNC3753 targeted dozens of organizations across professional, legal, and financial services in the United States. The threat actors leverage voice phishing and social engineering techniques, posing as IT support to convince targets to host screen-sharing sessions and download remote monitoring and management utilities. Once inside environments, they conduct searches to locate and exfiltrate highly sensitive data including proprietary legal agreements, personally identifiable information, and financial records for subsequent extortion demands. The entire attack sequence often occurs within a single business day, with recent incidents showing data theft initiated in under an hour. Notably, threat actors have also accessed victims' systems in person, with individuals posing as IT technicians entering corporate offices to attempt direct exfiltration using USB storage media.