McDade Insurance Brokerage Blog

From First Call to Data Theft in One Business Day | McDade

Written by Charles D. McDade, LUTCF | Jul 7, 2026 2:28:07 PM
From the Founder

From first call to stolen files in one business day.

  • By Charles McDade, LUTCF
    Published July 2, 2026
  • Business Insurance

Google's threat intelligence team spent five months watching a criminal group work through American law firms and published the clock. In many cases, the whole crime, first contact to stolen files to extortion letter, fit inside a single business day. Here is the timeline, step by step, with the counter for every step.

The answer

Google's Mandiant team documented dozens of intrusions at legal and professional firms from January through May 2026, and in many the entire attack ran inside one business day, with file theft sometimes starting in under an hour. Every step of the timeline has a cheap, procedural counter, and the whole defense fits on one page.

The clock

The report comes from Google Cloud's Mandiant threat intelligence group, which investigated a campaign by the cluster it tracks as UNC3753, the same group the FBI calls Silent Ransom. Dozens of organizations across legal, financial, and professional services were hit between January and May 2026.

Two numbers from the report deserve a place on your wall. In many investigated incidents, the entire sequence from first contact to data theft and extortion occurred within a single business day. And in recent cases, the searching, staging, and theft of files began in under an hour. Once the files are gone, the extortion email arrives within about thirty minutes and gives the firm three days to respond, with threats to contact employees and clients directly and to publish everything on a public leak site if it does not.

The whole crime fits inside a workday. The defense fits on one page.

The timeline, step by step

Here is how Google's investigators describe the sequence, translated out of the technical language.

It starts with an email that almost nobody would report. An invoice-themed message from an ordinary consumer email account, carrying no link and no attachment, saying something as plain as, hello, here is the invoice we talked about yesterday. Per Google's assessment, the message exists for one reason only, to plant a small worry so the follow-up phone call gets answered. Then the call comes. The caller poses as the firm's IT helpdesk, using names and numbers harvested from the firm's own website, and walks the employee into a screen sharing session on an ordinary platform like Teams, Zoom, or Quick Assist.

From inside the session, the employee is talked into installing a remote support tool, the same legitimate software real IT departments use. In documented cases the attackers then moved from personal devices into the firm's virtual desktops, searched document systems like iManage for agreements, tax records, and personal information, staged the files, and moved them out with ordinary transfer tools or a cloud drive. In one incident Google describes, the same employee was kept on the phone across five separate calls over three days. Patience is part of the product.

Notice what never appears in that timeline. No malware. No broken software. Every tool involved is legitimate, which is why the report notes these intrusions leave little for antivirus to catch.

The counter for every step

Now run the same timeline from your side of the table. Every step has a counter, and none of them requires a security budget.

Step by step, the defense

  1. The invoice email with no link and no attachment. That absence is the tell. Report it to whoever handles your systems, and never call a number supplied in an unexpected invoice message.
  2. The IT call. Nobody grants access from an inbound call. Hang up, call back on the internal number your firm already has. Two minutes, every time.
  3. The screen share and the install. A standing rule that remote support tools are installed only by your own IT provider, never during a call the employee did not initiate, kills the entry mechanism outright.
  4. The personal device pivot. Where possible, limit access to firm systems to firm controlled devices. If your team works from personal machines, that decision deserves a deliberate review, not a default.
  5. The document system search. Multifactor authentication on your document repositories, and alerts on unusually large downloads, turn an hour of quiet theft into a loud one.

If you suspect any step of this timeline has already touched your firm, the recognition checklist is at six signs your team has been phished, and the response sequence is at the first hours playbook.

What the clock means for the program

A crime that finishes in a business day changes the math between prevention and detection. Monitoring that alerts you next week is bookkeeping. The procedures above are the actual defense, and they carry a second benefit, because carriers increasingly treat documented verification procedures and access controls as underwriting assets that move pricing and terms.

The insurance itself is the financial backstop for the day a rehearsed caller finds an unrehearsed moment. The policy parts that respond to a data theft extortion, and the boundary with your malpractice coverage, are mapped at law firm cyber insurance. And this scheme has a twin aimed at your money instead of your files, documented at social engineering fraud for law firms. Same con, different asset. The full program lives at Houston law firm insurance.

You do not have to be faster than the criminal. You need one procedure that refuses to be rushed.

Charles McDade, LUTCF, Founder, McDade Insurance Brokerage Group

Sources worth opening before you decide.

This article uses public source material from Google Cloud's Mandiant threat intelligence report and the FBI's advisory to law firms.

The purpose is to make the timeline familiar before it is personal. Google's investigators describe how the hour unfolds. Whether your firm's procedures and policy are ready for it is answered by your documents, which is exactly what the review reads.

Questions firm owners ask.

How fast do these law firm attacks actually move?

Google's Mandiant team, which investigated the campaign, reported that in many incidents the full sequence from first contact to data theft and extortion happened within a single business day, and that in recent cases file searching and theft began in under an hour. The extortion email typically arrives within about thirty minutes of the theft and sets a three day deadline.

What is the invoice email with no attachment?

It is the opening move. Google's report describes benign, invoice-themed emails sent from ordinary consumer accounts carrying no links and no attachments. The message exists only to plant a worry so the target answers a follow-up call from someone posing as IT support. An unexpected invoice email with nothing attached is worth reporting precisely because it looks harmless.

What are remote support tools and why do attackers use them?

They are the legitimate programs real IT departments use to help employees at a distance. Attackers talk victims into installing them because they provide full access while looking completely normal to security software. The counter is procedural. Remote support tools get installed only by your own IT provider, never during a call the employee did not initiate.

Can a small firm realistically defend against this?

Yes, and in some ways more easily than a large one, because the defense is procedural and a small firm can put one page in front of every employee this week. Callback verification, no access from inbound calls, controlled installs, and multifactor authentication counter every documented step. Carriers increasingly reward these controls at underwriting, and about 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.

What Houston clients say.

 
The Next Step

The criminals rehearsed. Your firm can too.

Send us the policies you carry today. We will read them against this exact timeline, show you which procedures your carrier already rewards, and put the whole defense in plain English on one page your team will actually use.

Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.