The Situation
A 9-person conveyancing firm operating from Collins Street had been referred to us by their professional indemnity insurer following their PI renewal. The insurer's questionnaire had flagged several security gaps — most critically, their DMARC record was at p=none (monitoring only), MFA was not enforced on any Microsoft 365 accounts, and the firm had no anti-impersonation rules in place on their email.
The firm's principal was aware of BEC risks in conveyancing — a neighbouring firm on their floor had suffered a $220,000 loss the previous year. But the previous IT provider had told him DMARC was "already set up" and MFA was "available if staff wanted it." On closer inspection, both statements were technically true and practically useless — DMARC in monitoring mode stops nothing, and MFA that staff can opt out of is meaningless when attackers can simply target accounts without it.
The firm handled approximately 40 residential property settlements per month, with an average settlement value of $650,000. Their exposure to BEC was not theoretical.
What We Did
We completed a full email security audit in the first week — reviewing all DNS records, Microsoft 365 tenant configuration, Outlook and Exchange settings, and the firm's existing mail flow. The audit revealed several sending sources (a newsletter platform and an automated conveyancing update service) that needed to be authorised before DMARC could be moved to reject policy. Moving too quickly would have caused legitimate mail to bounce.
- Completed DNS and email authentication audit — identified all legitimate mail sending sources
- Configured SPF to authorise all legitimate senders, closing gaps that would have caused DMARC enforcement to block legitimate mail
- Deployed DKIM signing on all outbound mail from the Microsoft 365 tenant and third-party senders
- Moved DMARC from p=none to p=quarantine for two weeks to monitor for false positives, then to p=reject
- Deployed Microsoft Defender for Office 365 Plan 1 with Safe Links, Safe Attachments, and anti-impersonation rules
- Configured anti-impersonation protection for all principals, senior solicitors, and the firm's top 20 client contacts
- Enforced MFA via Entra ID Conditional Access for all Microsoft 365 accounts with no bypass exceptions
- Delivered targeted BEC awareness training for conveyancing staff with specific settlement-payment-redirection scenarios
We had been told our email security was "fine" for years. Three weeks after CX IT actually fixed it, we stopped a $780,000 fraud attempt. That is not a coincidence — that is what proper email authentication looks like.
The Outcome
Three weeks after engagement commencement, with DMARC at p=reject and anti-impersonation controls live, an attacker attempted a classic BEC attack against one of the firm's settlement matters. The attack used a domain visually similar to the firm's — transposing two letters in the domain name — to send a message to a property purchaser claiming to update the settlement account details for a $780,000 transaction.
The attack was caught by two independent controls: the Microsoft Defender anti-impersonation rule flagged the message as a likely impersonation attempt and quarantined it before delivery, and the purchaser's solicitor separately called the firm to verify the instruction (following the payment verification procedure we'd trained on) and confirmed the instruction had not come from them.
The firm's principal contacted us immediately after the incident. "It worked exactly as you said it would," he said. "Three weeks ago that $780,000 would have gone."
The attacker had clearly been monitoring the matter — the timing, the amount, and the counterparty details in the fraudulent email were accurate. The attack was sophisticated and well-targeted. Without the controls in place, the probability of success was high.