Business email compromise and credential stuffing campaigns reached record levels in Q2 2025, with professional services firms — law practices, CPA firms, and registered investment advisors — emerging as the most actively targeted sector outside of financial institutions. The convergence of three factors drove this surge: large-scale data broker leaks seeded threat actor databases with hundreds of millions of validated email-and-password pairs; widespread adoption of cloud-based practice management platforms created high-value credential targets where a single successful login yields privileged access at scale; and the economics of credential attacks have inverted — automated tooling now makes credential stuffing campaigns effectively free to run, while the per-success payoff in professional services environments is orders of magnitude higher than consumer targets. The majority of Q2 incidents involved commodity tooling, commercially available phishing kits, and leaked credential lists cycling through underground markets for months. The threat is systemic, not incidental.
"The firms appearing most frequently in Q2 incident disclosures were not small firms with visibly inadequate infrastructure. Several had undergone SOC 2 assessments or carried cyber liability coverage."
Attackers spoofing or cloning legitimate vendor domains — DocuSign, Clio, NetDocuments, Thomson Reuters, Intuit — to deliver credential-harvesting pages. The targeting is precise: recipients receive emails referencing actual client names, matter numbers, or document titles scraped from prior breaches or public court filings. Capture rates in Q2 testing scenarios exceeded 34%.
Law firms: the most financially damaging Q2 incidents involved manipulation of real estate and M&A transaction wire instructions sent via these impersonation channels. A well-timed BEC intercept can redirect six to eight figure transfers. Carriers are increasingly excluding these losses from standard cyber policies absent documented out-of-band verification controls.
Automated credential stuffing using leaked email-password pairs against cloud-hosted legal, accounting, and financial planning platforms. Success rates are low per attempt but operate at scale: a single campaign may run millions of attempts across thousands of firm domains in under 24 hours. Accounts without MFA show a compromise rate roughly 400× higher than those with it.
Tax professionals are the highest-value targets in the credential theft ecosystem specifically because their systems contain Social Security numbers and Employer Identification Numbers in bulk. A single compromised login gives an attacker the raw material to file thousands of fraudulent returns and open lines of credit in client names. The IRS's Security Summit requirements create a floor of minimum controls — most firms treat them as a compliance checkbox rather than an operational baseline.
Attackers in possession of valid credentials bombard users with repeated MFA push notifications until they approve one out of frustration or confusion. This technique emerged in large enterprise attacks in prior years but has migrated to smaller firm targets as credential availability has increased. Firms using basic push-notification MFA rather than number-matching or FIDO2 keys are acutely vulnerable.
RIAs face a dual exposure here. A credential incident both creates direct financial harm potential — unauthorized instructions to custodians — and triggers mandatory SEC and state notification requirements with short timeframes. Firms that fail to detect an incident, notify within required windows, or demonstrate adequate controls face regulatory action that can materially exceed the direct financial loss.
Malicious or compromised browser extensions harvesting authenticated session tokens — bypassing credential and MFA protections entirely. Victims are already logged in; attackers extract the active session and replay it from a different IP. This vector is particularly difficult to detect through conventional credential monitoring. Q2 saw a notable uptick in extensions distributed via informal firm IT communications posing as productivity tools.
What unites all four vectors is that they attack the identity layer, not the network perimeter. An attacker with a valid credential or session token is indistinguishable from a legitimate user. The log shows a successful authentication — and nothing else. Credential hygiene, identity monitoring, and access control design are not optional security enhancements. They are the actual defensive perimeter in 2025.
Professional services is not a monolithic category. Law firms, CPA practices, and registered investment advisors carry distinct data profiles, face different regulatory frameworks, and present different risk surfaces to attackers. Managing partners and principals in each category should understand their specific exposure before designing controls.
| Firm Type | Primary Data at Risk | Regulatory Trigger | Attack Incentive | Exposure |
|---|---|---|---|---|
| Law Firm | Client PII, matter files, wire instructions, litigation strategy, privilege-protected communications | State bar ethics rules, ABA Model Rules 1.6, state breach notification | BEC wire fraud, litigation intelligence, extortion via privilege waiver threat | High |
| CPA / Tax Practice | SSNs, EINs, tax returns, financial statements, payroll data, banking credentials | IRS Publication 4557, FTC Safeguards Rule, state notification laws | Identity fraud at scale, fraudulent refund filing, client account takeover | High |
| Wealth Manager / RIA | Account numbers, portfolio holdings, banking relationships, beneficiary data, estate structures | SEC Regulation S-P, FINRA Rule 4370, state fiduciary standards | Fraudulent wire authorization, account liquidation, regulatory extortion | High |
| Multi-Service Firm | All of the above across client base | Multiple overlapping frameworks | Single credential yields cross-disciplinary client exposure | Critical |
The Q2 threat actor landscape in this sector is dominated by financially motivated criminal groups operating with commodity tooling — not sophisticated state-sponsored actors. This is, in some ways, more alarming than the alternative. State actors select targets carefully. Criminal groups targeting professional services with credential stuffing attacks are operating indiscriminately at scale, which means the probability of a firm being hit is governed by whether credentials are available and MFA gaps exist, not whether the firm has done anything to attract specific attention.
A notable development in Q2 was the increased sophistication of the initial access broker (IAB) market specifically for professional services environments. IABs who specialize in obtaining and selling authenticated access to firm platforms — rather than raw credentials — were selling active sessions into practice management platforms, document repositories, and client portals for as little as $300 to $2,500 per access. Buyers ranged from ransomware operators to competitor intelligence collectors. The existence of this secondary market means that even firms with adequate password hygiene can be compromised if a vendor or subprocessor relationship creates an exposed access path.
Several ransomware groups historically associated with encryption-and-ransom operations were observed in Q2 shifting to exfiltration-first strategies against professional services targets. Rather than disrupting operations — which triggers immediate incident response — these groups silently exfiltrate client data over days to weeks, then leverage the threat of disclosure (to clients, regulators, or opposing counsel in active litigation) as the extortion mechanism. This approach is more damaging in high-trust sectors because the harm is reputational and regulatory, not purely operational.
At least three BEC campaigns targeting southeast U.S. law firms and accounting practices in Q2 were attributed to organized groups operating out of West Africa and Eastern Europe, using commercially available phishing kits updated with current DocuSign and Microsoft 365 branding. Attribution in these cases was incidental — firms were not selected; they were harvested.
The following indicators should be treated as active investigation triggers — not items to note and defer. In professional services environments with long attacker dwell times, delayed investigation directly increases the scope and cost of any incident.
- Successful authentications from geographic locations inconsistent with staff travel patterns, particularly when followed immediately by data export or email rule creation activity.
- Sudden creation of email forwarding rules, especially those forwarding to external domains or free webmail addresses. This is a consistent BEC tradecraft indicator across Q2 incidents.
- MFA push notification volume spikes — staff receiving authentication requests they did not initiate is a direct indicator of credential compromise and an active push-bombing attempt.
- Unusual bulk document access or download activity in practice management, document management, or client portal platforms, especially outside normal business hours.
- Vendor or client impersonation emails requesting updated wire instructions or banking information — even when the sender domain appears legitimate. Domain lookalikes in Q2 campaigns were within 1–2 character substitutions of legitimate firm and vendor domains.
- Browser extension installation on firm workstations not approved through a formal IT process. Particular attention warranted for extensions requesting access to all site data, clipboard, or cookie storage.
- Login activity from IP ranges associated with residential proxy networks or commercial VPN providers — a common technique to obscure attacker origin while appearing geographically proximate to the target firm.
The controls below are organized by impact relative to the Q2 threat vectors described in this dossier. Prioritization should reflect current gaps rather than policy preference. A firm with no MFA on cloud platform access should address that before refining security awareness training.
-
Deploy phishing-resistant MFA on all cloud platforms Replace push-notification MFA with number-matching or hardware key authentication (FIDO2/passkey) on all practice management, email, document management, and client portal platforms. Standard push MFA is ineffective against the push-bombing technique documented in Q2 campaigns. This is the single highest-impact control relative to current threat patterns.
-
Conduct a cloud platform credential audit Map every cloud platform in active use against the firm's vendor and subprocessor list. Identify accounts with weak, reused, or shared credentials. Run exposed credential checks against known breach databases for firm domain email addresses. Shared credentials — particularly for billing, research, or court filing platforms — represent acute risk and are rarely captured in standard password policies.
-
Implement out-of-band wire transfer verification Establish a documented protocol requiring voice confirmation via a previously verified phone number for all wire transfer instructions received via email, regardless of apparent sender. This single control eliminates the financial harm vector in the majority of Q2 law firm BEC incidents. The protocol must be documented and consistently applied — carrier coverage for wire fraud losses is increasingly conditioned on demonstrated verification procedures.
-
Audit and restrict browser extensions on firm workstations Inventory all browser extensions installed on firm devices. Remove any not explicitly approved for business use. Establish a policy governing extension installation with a defined approval process. For firms on managed devices, implement browser extension blocklisting for high-risk permission categories. Session token theft via extension is effectively undetectable by standard credential monitoring — prevention at the installation layer is the only reliable control.
-
Enable and review login and access activity logs Ensure cloud platform authentication logging is enabled and that someone is responsible for reviewing alerts. Many credential incidents detected in Q2 post-mortem analysis had visible indicators in login logs that went unreviewed for days. At a minimum, configure alerts for logins from new devices or geographic locations, failed authentication spikes, and bulk document access events.
-
Review vendor and subprocessor access to firm data Map which vendors have authenticated access to firm systems or data — not just direct integrations, but API connections, support access provisions, and third-party data processors used by primary vendors. Q2 incidents involving initial access brokers frequently exploited vendor-level access paths rather than direct employee credential compromise. Subprocessor exposure in practice management platforms warrants specific attention.
-
Define and rehearse an incident response trigger Establish clear criteria for what constitutes an incident requiring formal response, who makes that call, and what the first 24 hours of response looks like. Most small professional service firms lack this documentation. In the event of a regulatory-triggering incident, the ability to demonstrate that a defined process was followed — and followed promptly — materially affects both regulatory outcomes and carrier coverage determinations.
The Q2 2025 credential threat environment represents a shift in targeting calculus, not an escalation of attacker sophistication. Professional services firms are being hit because the return profile has become favorable relative to the difficulty of attack — not because attackers have developed new capabilities specifically for this sector. The practical implication is that the protective baseline required to reduce exposure is achievable for small and mid-sized firms. Phishing-resistant MFA, documented wire verification protocols, credential audits, and log monitoring are not enterprise-scale programs. They are operational decisions that can be implemented without large infrastructure investment. What they do require is accurate visibility into how credentials are actually used across the firm's current platform stack — which vendors hold authenticated access, which platforms have MFA gaps, which accounts carry excessive permissions, and where session management is not enforced. Most firms lack this visibility not because the information is unavailable, but because no structured process exists to gather and maintain it.
If you don't know which vendors hold authenticated access to your firm's data, you don't actually know your exposure.