Law Firms Targeted By Vishing And RMM Tool Attacks

The threat actor UNC3753 is conducting a sophisticated campaign targeting U.S. law firms through vishing (voice phishing) attacks combined with legitimate remote monitoring and management (RMM) tools. Attackers impersonate IT support personnel to trick employees into installing remote access software, enabling data exfiltration of sensitive legal documents and client information. This social engineering-heavy approach bypasses traditional security controls by exploiting the human element rather than technical vulnerabilities.

Introduction

U.S. law firms are facing an escalating threat from UNC3753, a cybercriminal group employing a combination of social engineering and legitimate IT tools to breach high-value targets. Unlike traditional attacks that exploit software vulnerabilities, this campaign leverages vishing tactics to manipulate employees into granting attackers direct access to corporate networks.

The attackers’ methodology demonstrates a concerning evolution in cyber threats: rather than developing complex malware or exploit chains, threat actors are increasingly exploiting the weakest link in any security infrastructure—human trust. Law firms, which handle extraordinarily sensitive information including intellectual property, merger and acquisition details, litigation strategies, and confidential client data, represent lucrative targets for financially motivated adversaries and espionage operations alike.

This campaign’s effectiveness lies in its simplicity and the abuse of tools that organizations use daily, making detection challenging and raising critical questions about how enterprises validate identity and authorize system access.

Background & Context

UNC3753 emerged as a distinct threat cluster targeting professional services firms, with particular focus on legal practices across the United States. The designation “UNC” (uncategorized) indicates this is a tracked threat group that hasn’t yet been attributed to a known entity or assigned a formal designation by threat intelligence teams.

Law firms have historically been attractive targets for several reasons:

• High-value data repositories: Legal practices maintain extensive collections of confidential documents including trade secrets, financial records, and privileged communications
• Complex client networks: Firms serve as potential pivot points to access larger corporate targets
• Resource constraints: Smaller and mid-sized firms often lack dedicated cybersecurity teams despite handling sensitive information
• Trust-based culture: Legal professionals frequently communicate with unfamiliar parties, making social engineering more effective

RMM tools such as AnyDesk, TeamViewer, ConnectWise, and ScreenConnect have legitimate business purposes for IT support and remote work scenarios. However, these same capabilities—screen control, file transfer, credential access—make them powerful weapons when deployed by malicious actors. Unlike traditional remote access trojans (RATs), legitimate RMM tools often bypass security controls because they’re recognized software that organizations already use.

Vishing represents the voice-based evolution of phishing, where attackers use phone calls to create urgency, establish false authority, and manipulate targets into taking actions they would otherwise question.

Technical Breakdown

The UNC3753 attack chain follows a predictable but effective sequence:

Phase 1: Initial Contact

Attackers initiate unsolicited phone calls to law firm employees, typically targeting reception staff, paralegals, or junior associates. The caller impersonates:

• IT support personnel claiming to address a security issue
• Software vendor representatives offering mandatory updates
• Help desk technicians responding to a fabricated ticket

The social engineering relies on creating artificial urgency (“Your account will be locked in 15 minutes”) and establishing false authority through technical jargon and confident demeanor.

Phase 2: RMM Tool Deployment

Once the target is convinced, attackers direct them to download and install an RMM tool. Common instructions include:

"Please navigate to anydesk.com and download the remote support client"
"I'm sending you a link via email—click Download Now and run the installer"
"Type in this nine-digit code so I can securely connect to your system"

The victim unknowingly provides the attacker with:

• Full desktop access and control
• Ability to view all on-screen content
• File system access for uploading/downloading
• Credential harvesting opportunities
• Network reconnaissance capabilities

Phase 3: Persistence and Lateral Movement

After gaining initial access, UNC3753 operators:

• Configure the RMM tool for unattended access with modified settings to reduce visibility
• Harvest credentials from browsers, password managers, and cached authentication tokens
• Map network shares and document repositories
• Identify high-value targets like document management systems (DMS), email servers, and client databases
• Establish alternative access methods for redundancy

Phase 4: Data Exfiltration

The attackers systematically identify and extract sensitive materials:

# Example of file types typically targeted
*.docx (legal briefs, contracts)
*.pdf (court filings, agreements)
*.xlsx (financial records, case data)
*.msg/.pst (email archives)
*.zip (compressed document collections)

Exfiltration occurs through the RMM tool’s built-in file transfer capabilities, often during non-business hours to reduce detection likelihood. The legitimate nature of the RMM traffic makes it difficult to distinguish from normal administrative activity.

Impact & Risk Assessment

The consequences of successful UNC3753 compromises are severe and multifaceted:

Confidentiality Breaches

Exposure of attorney-client privileged communications undermines legal protections and can compromise ongoing litigation. Disclosure of sensitive client information may trigger regulatory obligations under data protection laws including GDPR, CCPA, and industry-specific regulations like HIPAA for healthcare clients.

Financial Impact

Beyond immediate incident response costs, firms face:

• Potential malpractice claims from affected clients
• Regulatory fines for data protection violations
• Loss of business due to reputational damage
• Increased cyber insurance premiums
• Client notification and credit monitoring expenses

Strategic Compromise

For firms handling mergers, acquisitions, or high-stakes litigation, stolen intelligence can provide adversaries with:

• Negotiation strategies and settlement positions
• Due diligence findings and valuation data
• Witness testimony and evidence inventories
• Corporate strategy and decision-making insights

Risk Severity: CRITICAL

The combination of high-impact consequences and the campaign’s demonstrated success in bypassing technical controls elevates this threat to critical severity for the legal sector. The attack’s reliance on social engineering means traditional security investments provide limited protection.

Vendor Response

RMM software vendors have responded with varying levels of urgency to the abuse of their platforms:

AnyDesk has implemented enhanced security features including two-factor authentication requirements and suspicious connection monitoring. The company maintains a security advisory page for enterprise customers.

TeamViewer introduced conditional access policies, anomaly detection for unusual connection patterns, and improved logging capabilities for enterprise deployments.

ConnectWise (ScreenConnect) has emphasized configuration best practices and provides security hardening guides focusing on access restrictions and session monitoring.

However, the fundamental challenge remains: these tools function as designed when attackers gain authorized installation through social engineering. Vendors cannot fully prevent misuse without compromising the legitimate remote access functionality their customers require.

Industry coalitions including the Legal Sector ISAC have issued advisories to member firms, sharing indicators of compromise and recommended defensive measures specific to legal practice environments.

Mitigations & Workarounds

Organizations can implement multiple defensive layers to address this threat:

Technical Controls

• Application Allowlisting: Restrict RMM tool execution to IT department-managed devices only

# Example AppLocker rule to block unauthorized RMM tools
New-AppLockerPolicy -RuleType Publisher -Path "C:\Program Files\AnyDesk\*" -User "DOMAIN\IT-Staff" -Action Allow

• Network Segmentation: Limit RMM tool network access to prevent lateral movement
• Endpoint Detection: Deploy EDR solutions configured to alert on RMM tool installation and execution
• DNS Filtering: Block access to known RMM download sites for non-IT users

Process Controls

• Establish formal IT support verification procedures requiring employees to independently confirm support requests through known-good channels
• Implement out-of-band authentication for remote access requests
• Create designated IT support phone numbers and prohibit accepting inbound “support” calls
• Require multi-person authorization for software installation

User Education

Conduct scenario-based training focusing on:

• Vishing red flags (unsolicited calls, artificial urgency, requests to install software)
• Proper IT support request procedures
• Safe verification methods before complying with technical instructions

Detection & Monitoring

Security teams should implement monitoring for UNC3753 TTPs:

Behavioral Indicators

• Unusual RMM tool installations, especially on non-IT user endpoints
• RMM software execution outside business hours
• Large outbound data transfers through RMM tool processes
• Multiple failed authentication attempts following RMM sessions
• Rapid sequential access to document repositories

Network Signatures

Monitor for connections to known RMM infrastructure:

anydesk.com
teamviewer.com
connectwise.com
screenconnect.com

Log Analysis

Correlate multiple data sources:

Security Event ID 4688 (Process Creation) + RMM executable names
Firewall logs showing connections to RMM infrastructure
File system audit logs of document access patterns
Authentication logs showing credential usage after RMM sessions

SIEM Detection Rules

rule: Suspicious RMM Installation
condition:
  - process_name: (anydesk.exe OR teamviewer.exe)
  - user_context: NOT IT_Support_Group
  - action: create_process
severity: HIGH
response: Alert SOC, isolate endpoint, contact user

Best Practices

For Law Firms Specifically

• Zero Trust Architecture: Implement “never trust, always verify” for all access requests, regardless of claimed authority
• Document Management Security: Apply data loss prevention (DLP) controls to sensitive file repositories with alerting on bulk access or downloads
• Privileged Access Management: Restrict administrative rights, require elevation justification, and audit all privileged operations
• Incident Response Planning: Develop playbooks specifically for social engineering scenarios including immediate containment procedures
• Third-Party Risk Management: Extend security requirements to vendors, opposing counsel file-sharing, and client communication channels

General Security Posture

• Maintain current asset inventory including all authorized remote access tools
• Implement phishing-resistant MFA using hardware tokens or biometric authentication
• Conduct regular tabletop exercises simulating vishing scenarios
• Establish clear escalation paths for suspicious requests
• Review and audit RMM tool logs weekly at minimum

Key Takeaways

• UNC3753’s vishing plus RMM tool strategy effectively bypasses technical security controls by exploiting human trust and organizational processes
• Law firms represent high-value targets due to sensitive data holdings and often-limited security resources relative to the information they protect
• Legitimate RMM tools become dangerous weapons in attacker hands, making their use require strict governance and monitoring
• Social engineering defense requires a combination of technical controls, process discipline, and comprehensive user awareness
• Detection depends on behavioral analytics and cross-correlation of multiple data sources rather than signature-based approaches
• Prevention prioritizes identity verification procedures and restricting remote access tool deployment to authorized IT personnel
• The legal sector must elevate cybersecurity investment and awareness to match the value of assets being protected

This campaign underscores that sophisticated attacks increasingly target people rather than systems, requiring organizations to rethink security models that focus primarily on technical defenses while neglecting the human layer.

References

• Mandiant Threat Intelligence: UNC3753 Threat Actor Profile
• Legal Sector ISAC: Advisory on Social Engineering Attacks Targeting Law Firms
• MITRE ATT&CK: T1566 (Phishing), T1219 (Remote Access Software)
• AnyDesk Security Advisory: Best Practices for Enterprise Deployments
• FBI Internet Crime Complaint Center: Business Email Compromise and Vishing Trends
• American Bar Association: Cybersecurity Resource Center
• NIST Special Publication 800-63B: Digital Identity Guidelines

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/