Google's threat intelligence team spent five months watching a criminal group work through American law firms and published the clock. In many cases, the whole crime, first contact to stolen files to extortion letter, fit inside a single business day. Here is the timeline, step by step, with the counter for every step.
The answer
Google's Mandiant team documented dozens of intrusions at legal and professional firms from January through May 2026, and in many the entire attack ran inside one business day, with file theft sometimes starting in under an hour. Every step of the timeline has a cheap, procedural counter, and the whole defense fits on one page.
The report comes from Google Cloud's Mandiant threat intelligence group, which investigated a campaign by the cluster it tracks as UNC3753, the same group the FBI calls Silent Ransom. Dozens of organizations across legal, financial, and professional services were hit between January and May 2026.
Two numbers from the report deserve a place on your wall. In many investigated incidents, the entire sequence from first contact to data theft and extortion occurred within a single business day. And in recent cases, the searching, staging, and theft of files began in under an hour. Once the files are gone, the extortion email arrives within about thirty minutes and gives the firm three days to respond, with threats to contact employees and clients directly and to publish everything on a public leak site if it does not.
The whole crime fits inside a workday. The defense fits on one page.
Here is how Google's investigators describe the sequence, translated out of the technical language.
It starts with an email that almost nobody would report. An invoice-themed message from an ordinary consumer email account, carrying no link and no attachment, saying something as plain as, hello, here is the invoice we talked about yesterday. Per Google's assessment, the message exists for one reason only, to plant a small worry so the follow-up phone call gets answered. Then the call comes. The caller poses as the firm's IT helpdesk, using names and numbers harvested from the firm's own website, and walks the employee into a screen sharing session on an ordinary platform like Teams, Zoom, or Quick Assist.
From inside the session, the employee is talked into installing a remote support tool, the same legitimate software real IT departments use. In documented cases the attackers then moved from personal devices into the firm's virtual desktops, searched document systems like iManage for agreements, tax records, and personal information, staged the files, and moved them out with ordinary transfer tools or a cloud drive. In one incident Google describes, the same employee was kept on the phone across five separate calls over three days. Patience is part of the product.
Notice what never appears in that timeline. No malware. No broken software. Every tool involved is legitimate, which is why the report notes these intrusions leave little for antivirus to catch.
Now run the same timeline from your side of the table. Every step has a counter, and none of them requires a security budget.
If you suspect any step of this timeline has already touched your firm, the recognition checklist is at six signs your team has been phished, and the response sequence is at the first hours playbook.
A crime that finishes in a business day changes the math between prevention and detection. Monitoring that alerts you next week is bookkeeping. The procedures above are the actual defense, and they carry a second benefit, because carriers increasingly treat documented verification procedures and access controls as underwriting assets that move pricing and terms.
The insurance itself is the financial backstop for the day a rehearsed caller finds an unrehearsed moment. The policy parts that respond to a data theft extortion, and the boundary with your malpractice coverage, are mapped at law firm cyber insurance. And this scheme has a twin aimed at your money instead of your files, documented at social engineering fraud for law firms. Same con, different asset. The full program lives at Houston law firm insurance.
You do not have to be faster than the criminal. You need one procedure that refuses to be rushed.
Charles McDade, LUTCF, Founder, McDade Insurance Brokerage Group
This article uses public source material from Google Cloud's Mandiant threat intelligence report and the FBI's advisory to law firms.
The purpose is to make the timeline familiar before it is personal. Google's investigators describe how the hour unfolds. Whether your firm's procedures and policy are ready for it is answered by your documents, which is exactly what the review reads.
Google's Mandiant team, which investigated the campaign, reported that in many incidents the full sequence from first contact to data theft and extortion happened within a single business day, and that in recent cases file searching and theft began in under an hour. The extortion email typically arrives within about thirty minutes of the theft and sets a three day deadline.
It is the opening move. Google's report describes benign, invoice-themed emails sent from ordinary consumer accounts carrying no links and no attachments. The message exists only to plant a worry so the target answers a follow-up call from someone posing as IT support. An unexpected invoice email with nothing attached is worth reporting precisely because it looks harmless.
They are the legitimate programs real IT departments use to help employees at a distance. Attackers talk victims into installing them because they provide full access while looking completely normal to security software. The counter is procedural. Remote support tools get installed only by your own IT provider, never during a call the employee did not initiate.
Yes, and in some ways more easily than a large one, because the defense is procedural and a small firm can put one page in front of every employee this week. Callback verification, no access from inbound calls, controlled installs, and multifactor authentication counter every documented step. Carriers increasingly reward these controls at underwriting, and about 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.
Send us the policies you carry today. We will read them against this exact timeline, show you which procedures your carrier already rewards, and put the whole defense in plain English on one page your team will actually use.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.