020 3633 3182
Client Portal
Cyber Threat Alert
Active Threat

The message came through Teams.
It looked like IT.

And someone let them in.

No alarms. No warnings. A cyber group called UNC6692 didn't break in - they just pretended to be the helpdesk.

Microsoft Teams
IT
IT Helpdesk
● Online
IT
IT Helpdesk 10:14 AM
Hi Jane - we're seeing unusual activity on your account. Can you run a quick check?
Account Diagnostic Tool
https://it-support.internal/diag/run
JM
Jane Morris 10:16 AM
Of course! Running it now 👍
!
Malware installed - 10:16 AM
Attacker now has full access. Jane had no idea.
What actually happened

They didn't break in.
They were invited.

UNC6692 pretended to be the helpdesk. One Teams message. One click. Full access - through a person, not a vulnerability.

No brute force. No exploit. No technical failure.
Just a person being helpful at the wrong moment.
This is the most common attack on law firms right now.
Attack sequence
1
First contact via Teams
Attacker sends a message posing as internal IT helpdesk through Microsoft Teams.
2
Build rapport quickly
Routine conversation. Friendly, professional, familiar. Nothing suspicious. Trust established.
3
Create a plausible problem
"We're seeing an issue with your account" - urgent enough to act on, routine enough not to question.
4
Guide them to run something
A link, a script, a quick check. Framed as helpful. Executed without question.
5
Malware installed. Access granted.
Full access. Sensitive data exposed. The attacker is now inside the business - invited in by a helpful employee.
What this actually looks like

The Teams message your fee earner receives

It feels safe because it's in Teams, it's internal, and it sounds routine. Here's how that conversation looks.

T
Microsoft Teams - IT Support
IT
IT Support - Helpdesk
Hi, IT here - we're seeing an issue with your account security. Can you just run this quick check? Shouldn't take more than a minute.
Run account diagnostic - click here
Suspicious - unverified sender
JM
Jane M. (Fee Earner)
Of course, running it now!
IT
IT Support - Helpdesk
Perfect, that's all sorted. You're all clear now.
Malware installed at this point
🧠

What Jane was thinking

"I'm fixing a problem. I'm being proactive. I'm helping IT. I'm doing my job well."

🎯

What the attacker exploited

Helpfulness. Speed. Respect for authority. The fact she was busy and didn't slow down to question it.

The psychology behind it

Attackers design around your people - not your systems

People don't act based on logic. They act based on how something makes them feel. Your employee isn't thinking "this could be a cyber attack." They're thinking "I need to get this sorted quickly."

That's the gap attackers exploit.

Why your firm is a target

Law firms are built for this type of attack

The psychology here isn't accidental. Attackers design their approach around how your people behave - not around your systems.

Your staff are wired to
Respond quickly to requests
Help colleagues without question
Not challenge apparent authority
Operate under constant pressure
Your environment has
Sensitive, high-value client data
Constant internal communication
Junior staff trained to act fast
High-pressure billing environments

Attackers don't need to break in. They just need someone to not slow down and question it.

What actually protects you

Let's be blunt about what works and what doesn't

Most security conversations focus on firewalls, passwords, and compliance. But none of that matters if someone inside your business says "Sure, I'll sort that now." At that point, the attacker is being invited in.

This won't stop it
x
More tools or software
x
More policies and procedures
x
More "be careful" reminder emails
x
Firewalls and compliance frameworks
This will
+
Staff who recognise manipulation
+
Real-world attack simulations
+
Clear rules on how IT communicates
+
Regular testing and board reporting
One rule to give your team right now

If IT asks you to do something via Teams - pause. Every time. No exceptions.

Do not
Click anything they send
Run anything on your machine
Approve any prompts or dialogs
Instead
Pick up the phone
Call the helpdesk directly
Verify the request out-of-band
Find out your real risk

Want to know if your team would fall for this?

We run simulated attacks like this against your staff. Not theory. Not training slides. Real scenarios.

We show you who engages, where the risk is, and what needs fixing. And you get a report you can take to the board.

The bottom line

This wasn't a technical failure. It was a human moment. And those are the hardest to control - unless you test them.

workplaceconnect.co.uk  |  hello@workplaceconnect.co.uk  |  86-90 Paul Street, London EC2A 4NE