Malicious Email Campaign Targeting Attorneys Spoofs Emails From Statewide Legal Organizations

In June 2016 MS-ISAC became aware of a malicious email campaign targeting attorneys, which spoofs emails from statewide legal organizations, such as the Bar Association and the Board of Bar Examiners. The subject and body of the emails include claims that "a complaint was filed against your law practice" or that "records indicate your membership dues are past due." Recipients are asked to respond to the claims by clicking a link which leads to a malicious download, potentially ransomware.

The emails are well written and appear to originate from the appropriate authority, such as an Association official, likely increasing their effectiveness. Reporting from various states indicates a likelihood that this campaign is personalized to individuals practicing in a particular state and may be progressing on a state-by-state basis. The following states have been referenced in public reporting on this campaign: Alabama, California, Florida, Georgia, and Nevada. This targeting may include attorneys working for state, local, tribal, and territorial (SLTT) governments.

MS-ISAC recommends the following actions:
Share this information with potentially impacted organizations your area of responsibility, including Departments of Law/Justice, related law enforcement agencies, and agency-specific offices of counsel.
Train government legal professionals in identifying spear phishing emails which may include spoofed email addresses, unusual requests, and questionable and/or masked links. This particular series of emails includes what appears to be a link to the state bar association, but when the user hovers over the link it shows that the link is really to a different website. Copying and pasting the link, instead of clicking on it, would defeat this social engineering attempt.
Perform regular backups of all systems to limit the impact of data loss from ransomware infections. Backups should be stored offline.
Additional recommendations for protecting against and responding to phishing campaigns are available at[2].pdf.
Additional recommendations for protecting against and responding to ransomware infections are available at Primer - Ransomware.pdf.
Report any suspicious emails to the Internet Crime Complaint Center (IC3,, as well as to the legal organization which is spoofed in the addressed email.

Additionally, please do not hesitate to leverage MS-ISAC to assist you in investigating any targeting affecting SLTT entities in your area of responsibility. MS-ISAC performs a variety of incident response services including log analysis, malware analysis, computer forensics, development of a mitigation and recovery strategy as well as network and application vulnerability scanning. Requests for these services can be obtained by calling 1-866-787-4722 or sending an email to